With a number of clients working on the same new WAN concepts, I thought I'd share this. It bears on security, assuming the carriers' networks are untrusted (Remember warrantless wiretapping, and HIPPA?)
Until recently, IPSec tunnels were difficult to implement beyond a star topology, and firewall vendors didn't support dynamic routing over those tunnels. That made IPSec less flexible for primary / secondary WAN applications, and too complex for primary / secondary Internet-based VPNs.
The current 5.8 release from SonicWall includes the concept of a Tunnel Interface, which is the same as a site-to-site tunnel, but without the IP route policy. Instead one or more route policies are defined separately, and specify the Tunnel Interface as the gateway.
(In the attached KB article, note that the network drawing is mis-labeled. The Management PC at Site A should be 192.168.168.250)
The result is ultimate flexibility for policy-based routing over any transport, from primary / secondary encrypted WAN backup to routing by service type. Dynamic routing over IPSec makes it easier to grow beyond a star topology into parallel routes or a logical mesh.
As a bonus, the new release also includes a Flows exporter, and a built-in Flows monitor for all traffic passing through the appliance. Pretty impressive, with lots of design flexibility.
