vulcannz:

 

Again that is not true. I've done it plenty. Each connection SA has a unique SPI. Each client can maintain a connection even if everyone is on that same IP. Otherwise you'd have problems with CGNAT, hotels, airport lounges and so forth. I've been in a hotel with 800 people from the same company using the same IPSEC VPN portal no problems whatsoever.

 

The only time you'd ever see such an issue was a long long time ago when routers at the client end did not properly support Protocols 50 and 51, and couldn't not handle multiple outbound NAT sessions for IPSEC.

 

Network security is what I do for a job. VPNs are a big part of that (IPSEC site to site/client and SSL). Over the last 18 years I've worked with VPNs on Sonicwall/Juniper/Netscreen/Palo Alto/Fortinet/and Checkpoint boxes.

 

You again referring to clients. VPN gateway should have capabilities to distinguish clients behind the same IP by some kind of mapping (like using connmarks/SAref on Linux, I would not argue about Juniper/Cisco/whatever). With Windows L2TP/IPsec (ikev1) combo it's even more tricky, because clients behind the same NAT device will try to install the same IPsec policy <public NAT IP>[udp/l2tp] === <server IP>[udp/l2tp]. Windows L2TP client always uses udp/1701 as source and destination ports and does not care about NAT device mappings. IKEv2 is probably a solution, Windows IPSec implementation supports it, but Cyberoam UTM does not.

Appreciate your 18y of broad experience, but devil hides in details. I would advise to the topic starter to use something like OpenVPN or buy static IPs for remote clients.