Hi!
I have multiple IPsec policies for different local subnets for different purposes and each subnet is used by equipment on a specific ethernet port. Each subnet has a ethernet port assigned to a bridge interface and a matching IP (which is set as gateway on the devices on that ethernet port).
Setup is working fine, devices on each subnet communicats with remote subnets through the different policies. But now my question. Since policies are not bound to a specific interface I guess it would be possible to send in traffic on any port to reach remote subnets other than the intended one for this specific port/subnet by just setting an fixed IP belonging to another subnet? How do I prevent this so each port/subnet can only access the policy intended for that subnet? If VTI (virtual tunnel interface) was supported I would have just placed that VTI in the right bridge together with a ethernet port but without VTI there does not seem to be a way to bind policies to a specific bridge/interface? The only way I can think of to make this secure would be a firewall rule that prevents traffic to/from other subnets than intended for each bridge/port. Is that the correct approach?
Kind regards
David