Fortigate Site to Site VPN Steer encrypt/unecrypted traffic opinion
I would like to know your opinion about control what traffic should and should not be encrypted based on destination. The use case is :
- The agence K has a source A going to network X it should going encrypted through the S2S VPN.
- The SAME source A going to network Y it should not be encrypted.
- Both networks Y and X should pass through the same firewall for networks X and Y.
- The tricky part is the source still the same.
The idea i have so far to implement is to create two tunnels : 1 IPSEC and 1 GRE without encryption and regroup them both on SDWAN interface, and using SDWAN Rules to steer what it should be encrypted (send through IPSEC Tunnel ) and what not (send through GRE Tunnel ).
@Jucker That is a good solution you have thought about. But my question relates to why will u use SDWAN interface? If one of links fails (GRE or IPSEC) then traffic will try to be sent on the other link, because sdwan rule has an implicit rule that load balances traffic between members, and this may cause troubles in traffic.
Much simpler would be to just create static routes A to X through ipsec tunnel
@xshkurti Thank you for your response. the reason why i did go with SDWAN idea, is the static routes of X and Y from the FGT has the A network perspective it should be simple as that, but how about the FGT has X and Y networks ? in that case i need to route A on both tunnels which make it ECMP and if there's a traffic generated from X or Y toward A it will go on one of the tunnels, and i wanted to avoid the policy based routing. what do you think ?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.