I am planning to build tunnels between vyos 1.2.8 and Fortinet. However wondering and if anyone has experience about redundant tunnel between FG and VYOS. Which one should I approach? Policy based or VTI based?
On my vyos router I have two ISP links while FG being in cloud has only one internet link. I am planning to build two tunnels going out to FG.
I guess using vti based and running BGP/ECMP I can utilize both my internet links and with policy based not sure if I can achieve failover tunnel using DPD?
afaik, on fortigate, you can specify 0.0.0.0/0 as ipsec policy, which resembles vti
On fortigate, enable asymmetric routing. (allows request received on one tunnel sent back on other tunnel)
other issue: you need some policy based routing rules on VyOS, so encrypted (tunneled) packets having source IP=WAN1 are sent out on WAN1 , and those having source IP=WAN2 are sent out on WAN2
Why would outbound IP should take WAN1 and WAN2 IP addresses if I don’t masquerade it. I believe once the tunnels are up and have exchanged BGP routes its pretty simple then, is it not?
Though I am not aware from Fortinet end.
encrypted traffic gets new ipv4 header, with remote IPSEC peer as destination address and either WAN1-IP or WAN2-IP as source.
Then default route table will be used to determine how to send out this packet. So you can end up sending spoofed traffic. (Packets going out on WAN1 having WAN2 source IP or vice versa)