To support SD-WAN with IPsec VPN, the IPsec VPN tunnel configuration of all IPsec VPN tunnels that are members of the same SD-WAN zone in the same VDOM must send traffic to the same FPM. This means the
ipsec-tunnel-slot configuration of the IPsec VPN tunnel must include a specific FPM. Setting
master is not recommended, since the primary FPM can change. Setting
auto is not supported.
Please note the following limitations for this feature:
Auto negotiation must be enabled in the IPsec VPN phase 2 configuration for all IPsec tunnels added to an SD-WAN zone.
An SD-WAN zone can include a mixture of IPsec VPN interfaces and other interface types (for example, physical interfaces). If an SD-WAN zone contains an IPsec VPN interface, all traffic accepted by interfaces in that SD-WAN zone is sent to the same FPM, including traffic accepted by other interface types.
SD-WAN health checking is not supported for IPsec VPN SD-WAN members.
SD- WAN traffic information, including packet statistics, policy hit counts, and so on is not supported for IPsec VPN SD-WAN members.