You should be able to configure a tunnel from the same LAN interface connected to your GWLB. Question is probably better answered with a clearer picture of your topology and if you want to leverage the GWLB in the IPSec flow or not?
Attached is the diagram with GWLB and TGW. The VPN attachment to TGW is a S2S from On-prem. The interface of firewall in data subnet is private. As there is a site to site tunnel from on-prem to TGW we will have access from instances behind the on-prem firewall to AWS resources with private IPs.
1. Can we use the same interface in data subnet( which is used for geneve encapsulation for connecting to GWLB) to terminate a IPSEC tunnel.
2. Can we use the S2S from on-prem firewall "A" to TGW, to form the new S2S between another firewall "B" behind "A" and Firewall in inspection VPC. It is kind of IPSEC over IPSEC.
3. Do you recommend any other connectivity to have S2S from on-prem firewall "B" to fortigate in Inspection VPC with private IPs. Tunnel with Private IPs is due to application compliance standards.
As the tunnel has to be formed between two Private IPs as peers so we cannot do it with TGW.
Is it possible to build IPSEC over GENEVE. The firewall doesn't have public IP on the interface, so we need to consider either Direct connect or IPSEC to TGW for initial connectivity for private IPs communication.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.