Can I run multiple IPSec Site-to-Site Tunnels

latency0ms · Jul 18, 2022, 8:15 AM

Hello

I have successfully set up an IPSec site-to-site tunnel with a customer, everything is working just fine.

I was wondering if I could set up and run multiple IPSec tunnels with different customers at the same time. Do I have to define a new port per customer / connection like with OpenVPN? Or do I need to assign one separate WAN Address / Interface per IPSec Tunnel / Customer?

How are the individual IPSec tunnels distinguished from each other?
What happens if two customers have the same subnet?

Your answers are very much appreciated.

Thank you.

Thale · Jul 22, 2022, 12:48 PM

You can run multiple IPSEC tunnels to different locations at the same time, and can use the same interface for them. A rough answer about distinguishing between them is that separate Phase 1 tunnels are distinguished by the start and end points defining the tunnel.

If two customers have the same subnet in use in their network, you will only be able to connect to one of them in your Phase 2 setup. Your system would have no way to know which one to route traffic to if you had a connection to both. If one of them uses multiple subnets in their network, and only one of them overlaps, then you could still connect to the other non-duplicate subnets.

latency0ms · Jul 22, 2022, 1:59 PM

@thale That makes sense, thanks for the explenation!

viragomann · Jul 22, 2022, 1:59 PM

@latency0ms
Want to add, there is an option to get two overlapping remote subnets to work by NAT in phase 2. However, this has to be configured on one of the remote endpoints.