Hi Marwan, > 3. Client1 connects multiple devices to the VPN, each device has a > unique virtual IP address and can be accessed through Client1’s VPN
How does it do that? Do you mean it allocates addresses from 10.0.0.0/24 to those clients? (Without the server being aware of that, which is not a good idea.) Or does it NAT traffic from these devices to the IP address it received from the VPN server? > 6. Same as step3, however these devices are not accessible from > Client1’s VPN and vice versa So why not use distinct subnets? Reaching these devices from other hosts (e.g. behind the VPN server, or the server itself) could be tricky if they have the same IP addresses assigned. And depending on the traffic selector on the server's side and whether you use marks this will actually result in duplicate IPsec policies, which won't work. And are you sure this would be easier with a site-to-site setup instead of using virtual IP pools in the first place? The IP addresses used on the client end could still be "virtual IPs", i.e. only usable inside the VPN, but they wouldn't be assigned by the server (to use duplicate subnets is still tricky, though). Regards, Tobias
