Network segregation via IPsec gateways?



Hi all,

I have the following network set-up:

There is a router with 1 WAN port and 2 LAN ports. I want to deploy
IPsec gatways for both LANs to enforce security, i.e. only encrypted
traffic may enter or leave the LANs through the IPsec gateways. To
further ensure that access from one LAN to the other is not possible,
I would deploy a separate IPsec gateway for each LAN. I am thinking of
deploying IPsec gateways that are physically separated from the
router, as shown in the following sketch:

+---------------------+ +-----------+
LAN1------| IPsec gateway |--------| |
+---------------------+ | |
| Router |------WAN
+---------------------+ | |
LAN2------| IPsec gateway |--------| |
+---------------------+ +-----------+


Alternatively, I could deploy the IPsec gateways in the router, saving
me from deploying 2 additional hardware boxes for the IPsec gateways
as shown in the config. above. This could be done by virtualisation of
the IPsec gateways, or by simply implementing a single IPsec gateway
in the router that serves both LAN.

However, my "feeling" is that this may be less secure in terms of
vulnerability to hackers from the WAN or the LAN side (it is a hacker
from LAN1 wanting to achieve access to LAN2) but I am not able to
justify this...

Can anyone share his/her opinion whether the 3 different configs. are
equivalent in terms of security and vulnerability to hacks???? Any
hint on how to assess this is appreciated. Thanks!
.