Hello, thanks for the example, but it shows IPs with internet access. In this case, the link between the branches does not have an internet connection; it is a dark fiber. I will use private IPs.

It is not possible to do what you want.

Hi Alemabrahao, can you explain why? If the Meraki has internet and is able to route over the dark fibre to the Fortinet, I expect it to work. But I haven't set this up in the past.

Because it is a point-to-point connection, it will not be possible to establish a VPN connection.

I assume he wants encryption over the dark fiber. Typically I would employ macsec, but I don't think Meraki supports it.

Hello, I also thought about that possibility, but due to internal regulations, they require a site-to-site VPN configuration on the dark fiber, just as they would on any firewall or router.

What kind of connection is WAN1?  By chance, a /29?  If so, plumb the dark fibre in there and allocate it one of your public IP addresses.

Otherwise, it is tricky.  I am thinking of how I would solve this one.

You probably can't do MACSEC because this is to a Fortinet Firewall, and also because you probably don't have switches that can do MACSEC.

No matter what, this is going to require the purchase of additional hardware.  The question is which way will be the cheapest option.

I think I would lean towards a C1111-8P with an HSEC licence if the throughput requirement was less than 1Gb/s (double check the IPSEC throughput of this model - this is off the top of my head).

https://www.cisco.com/c/en/us/products/collateral/routers/1000-series-integrated-services-routers-is...

You could also consider a Cisco Firepower 1120 (depending on throughput requirements).
https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-74246...