Hi Everybody,

some time ago I have done a network segmentation in the headquarters based on zones (client, voip, server) and numerous policies. Now I have to do the same in a remote seat (IPSEC VPN). The remote seat  have the same logic as the main office, although not all VLANs are necessary (only client, VOIP). All routing between the VLANs is done at headquarters.

I would like to avoid the following solution

• Using multiple interfaces in the policies because i lose the "Interface Pair View".
• Duplicate policies (this makes administration more complex)

my idea
Multiple IPSec VPNs (with diffrent public IPs in the main site - parameter "set local-gw") - one VPN per VLAN, whereby its interface can then be added to the corresponding zone and the existing rules are then used automatically.

Since I don't have a test environment, I wanted to ask beforehand whether this is even possible (routing..) or whether I've overlooked something here?

Graphic for better understanding.

Thanks in advanced for your help

Regards
Patrick