Fortinet black logo

Administration Guide

SD-WAN integration with OCVPN

SD-WAN integration with OCVPN

OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members. Users can configure SD-WAN health checks and service rules to direct traffic over the OCVPN tunnels.

The following example uses a dual hub and spoke topology. Each hub and spoke has two WAN link connections to the ISP. The spokes generate two IPsec tunnels to each hub (four tunnels in total). BGP neighbors are established over each tunnel and routes from the hubs and other spokes learned from all neighbors, which forms an ECMP scenario. All tunnels are placed as SD-WAN members, so traffic can be distributed across tunnels based on the configured SD-WAN service rules.

To integrate SD-WAN with OCVPN in the GUI:
  1. Configure the primary hub:
    1. Go to VPN > Overlay Controller VPN and set the Status to Enable.
    2. For Role, select Primary Hub.
    3. Enter the WAN interfaces (port15 and port16) and tunnel IP allocation block (10.254.0.0/16).
      Note

      The WAN interface is position sensitive, meaning a tunnel will be created with the first position interface on the hub to the first position interface on the spoke, and so on. In this example, FGT_A (primary hub) will create two tunnels with FGT_C (spoke):

      • FGT_A port15 <==> FGT_C internal1
      • FGT_A port16 <==> FGT_C internal2
    4. Enable Auto-discovery shortcuts.
    5. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN members if SD-WAN is enabled.
  2. Configure the overlays on the primary hub:
    1. In the Overlays section, click Create New.
    2. Enter a name and add the local interface (port2). Note the overlay is either based on local subnets or local interfaces, but not both.

      By default, inter-overlay traffic is not enabled. Toggle Allow traffic from other overlays to enable it.

    3. Click OK and repeat these steps to create the second overlay (loop1).

    4. Click Apply.

  3. Configure the secondary hub with the same settings as the primary hub.
  4. Configure the spoke:
    1. Go to VPN > Overlay Controller VPN and set the Status to Enable.
    2. For Role, select Spoke.
    3. Enter the WAN interfaces (internal1 and internal2).
    4. Enable Auto-discovery shortcuts.
    5. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN members if SD-WAN is enabled.
    6. Configure the overlays.
      Note

      The overlay names on the spokes must match the hub for the traffic to be allowed through the same overlay.

    7. Click Apply.

  5. Configure the other spoke with the same settings.
  6. On a spoke, go to Network > SD-WAN Zones to view the configuration generated by OCVPN.

    Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface. Each policy will define the proper local and remote networks for its source and destination addresses.

To integrate SD-WAN with OCVPN in the CLI:
  1. Configure the primary hub:
    config vpn ocvpn
        set role primary-hub
        set sdwan enable    
        set wan-interface "port15" "port16"   
        set ip-allocation-block 10.254.0.0 255.255.0.0   
        config overlays
            edit "overlay1"
                config subnets
                    edit 1
                        set type interface
                        set interface "port2"
                    next
                end
            next
            edit "overlay2"
                config subnets
                    edit 1
                        set type interface
                        set interface "loop1"
                    next
                end
            next
        end
    end
  2. Configure the secondary hub with the same settings as the primary hub.
  3. Configure the spoke:
    config vpn ocvpn
        set status enable
        set sdwan enable
        set wan-interface "internal1" "internal2"
        config overlays
            edit "overlay1"
                config subnets
                    edit 1
                        set type interface
                        set interface "wan2"
                    next
                end
            next
            edit "overlay2"
                config subnets
                    edit 1
                        set type interface
                        set interface "loop1"
                    next
                end
            next
        end
    end
  4. Configure the other spoke with the same settings.
  5. Configure SD-WAN:
    config system sdwan
        set status enable
        config members
            edit 1
                set interface "_OCVPN2-0a"
            next
            edit 2
                set interface "_OCVPN2-0b"
            next
            edit 3
                set interface "_OCVPN2-1a"
            next
            edit 4
                set interface "_OCVPN2-1b"
            next
        end
    end

    Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface. Each policy will define the proper local and remote networks for its source and destination addresses.

    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To verify the integration is working after the ADVPN shortcut is triggered:
  1. Check the routing table on the spoke:
    FGT_C # get router info routing-table all
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [10/0] via 172.16.17.2, internal1
                      [10/0] via 172.16.18.2, internal2
    B       10.1.100.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
    B       10.1.200.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
    B       10.2.100.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
    B       10.2.200.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
    B       10.254.0.0/16 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:15
                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:15
                          [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
    C       10.254.0.0/21 is directly connected, _OCVPN2-0a
    C       10.254.0.1/32 is directly connected, _OCVPN2-0a
    C       10.254.8.0/21 is directly connected, _OCVPN2-0b
    C       10.254.8.1/32 is directly connected, _OCVPN2-0b
    C       10.254.64.0/21 is directly connected, _OCVPN2-1a
    C       10.254.64.1/32 is directly connected, _OCVPN2-1b_0 <==shortcut tunnel
    C       10.254.64.2/32 is directly connected, _OCVPN2-1a
    C       10.254.72.0/21 is directly connected, _OCVPN2-1b
    C       10.254.72.2/32 is directly connected, _OCVPN2-1b
                           is directly connected, _OCVPN2-1b_0
    C       172.16.17.0/24 is directly connected, internal1
    C       172.16.18.0/24 is directly connected, internal2
    C       172.16.200.0/24 is directly connected, wan1
    C       192.168.1.0/24 is directly connected, internal
    C       192.168.4.0/24 is directly connected, wan2
    B       192.168.5.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                           [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                           [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                           [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                           [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                           [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
                           [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                           [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
    C       192.168.44.0/24 is directly connected, loop1
    B       192.168.55.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                            [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                            [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                            [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                            [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                            [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
                            [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                            [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
  2. Check the VPN tunnel state:
    FGT_C # diagnose vpn tunnel list
    
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=_OCVPN2-1b_0 ver=2 serial=1c 172.16.18.3:0->172.16.15.4:0 dst_mtu=1500
    bound_if=9 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc  accept_traffic=1 overlay_id=4
    
     parent=_OCVPN2-1b index=0
    proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=r/2
    stat: rxp=641 txp=1025 rxb=16436 txb=16446
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-1b proto=0 sa=1 ref=3 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=42650/0B replaywin=1024
           seqno=407 esn=0 replaywin_lastseq=00000280 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=43186/43200
      dec: spi=90f03d9d esp=aes key=16 6cb33685bbc67d5c85488e0176ecf7b0
           ah=sha1 key=20 7d11b3babe62c840bf444b7b1f637b4324722a71
      enc: spi=7bc94bda esp=aes key=16 b4d8fc731d411eb24448b4077a5872ca
           ah=sha1 key=20 b724064d827304a6d80385ed4914461108b7312f
      dec:pkts/bytes=641/16368, enc:pkts/bytes=2053/123426
      npu_flag=03 npu_rgwy=172.16.15.4 npu_lgwy=172.16.18.3 npu_selid=1f dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-0a ver=2 serial=18 172.16.17.3:0->172.16.13.1:0 dst_mtu=1500
    bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=1
    
    proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2
    stat: rxp=1665 txp=2922 rxb=278598 txb=70241
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-0a proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
           seqno=890 esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42899/43200
      dec: spi=90f03d95 esp=aes key=16 a6ffcc197bb1b46ec745d0b595cdd69a
           ah=sha1 key=20 8007c134e41edf282f95daf9c9033d688ef05ccc
      enc: spi=a1bf21bf esp=aes key=16 ead05be389b0dec222f969e2f9c46b1d
           ah=sha1 key=20 b04105d34d4b0e61b018f2e60591f9b1510783bb
      dec:pkts/bytes=1665/278538, enc:pkts/bytes=4237/265074
      npu_flag=03 npu_rgwy=172.16.13.1 npu_lgwy=172.16.17.3 npu_selid=1b dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-1a ver=2 serial=1a 172.16.17.3:0->172.16.11.1:0 dst_mtu=1500
    bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=3
    
    proxyid_num=1 child_num=0 refcnt=17 ilast=0 olast=0 ad=r/2
    stat: rxp=1 txp=2913 rxb=16376 txb=69642
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=5
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-1a proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41653/0B replaywin=1024
           seqno=887 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42900/43200
      dec: spi=90f03d9b esp=aes key=16 ee03f5b0f617a26c6177e91d60abf90b
           ah=sha1 key=20 f60cbbc4ebbd6d0327d23137da707b7ab2dc49e6
      enc: spi=a543a7d3 esp=aes key=16 1d37efab13a5c0347b582b2198b15cb8
           ah=sha1 key=20 427ee4c82bac6f26f0bcabfe04328c7f57ce682e
      dec:pkts/bytes=1/16316, enc:pkts/bytes=4229/264036
      npu_flag=03 npu_rgwy=172.16.11.1 npu_lgwy=172.16.17.3 npu_selid=1d dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-0b ver=2 serial=19 172.16.18.3:0->172.16.14.1:0 dst_mtu=1500
    bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=2
    
    proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2
    stat: rxp=1665 txp=2917 rxb=278576 txb=69755
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-0b proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
           seqno=88b esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42899/43200
      dec: spi=90f03d96 esp=aes key=16 9d7eb233c1d095b30796c3711d53f2fd
           ah=sha1 key=20 d8feacd42b5e0ba8b5e38647b2f2734c94644bd1
      enc: spi=a1bf21c0 esp=aes key=16 d2c0984bf86dc504c5475230b24034f0
           ah=sha1 key=20 3946e4033e1f42b0d9a843b94448f56fd5b57bee
      dec:pkts/bytes=1665/278516, enc:pkts/bytes=4233/264411
      npu_flag=03 npu_rgwy=172.16.14.1 npu_lgwy=172.16.18.3 npu_selid=1c dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-1b ver=2 serial=1b 172.16.18.3:0->172.16.12.1:0 dst_mtu=1500
    bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=4
    
    proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=0 ad=r/2
    stat: rxp=1 txp=2922 rxb=16430 txb=70173
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=4
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-1b proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41656/0B replaywin=1024
           seqno=890 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42903/43200
      dec: spi=90f03d9c esp=aes key=16 a655767c1ed6cff4575857eb3981ad81
           ah=sha1 key=20 bfc2bccd7103a201be2641d4c6147d437d2c3f70
      enc: spi=a543a7d4 esp=aes key=16 7221b814e483165b01edfdc8260d261a
           ah=sha1 key=20 d54819643c2f1b20da2aea4282d50a1f1bc1d72a
      dec:pkts/bytes=1/16370, enc:pkts/bytes=4238/265164
      npu_flag=03 npu_rgwy=172.16.12.1 npu_lgwy=172.16.18.3 npu_selid=1e dec_npuid=1 enc_npuid=1
  3. Check the SD-WAN state:
    FGT_C # diagnose sys sdwan health-check
    Health Check(Default_DNS):
    Health Check(Default_Office_365):
    Health Check(Default_Gmail):
    Health Check(Default_AWS):
    Health Check(Default_Google Search):
    Health Check(Default_FortiGuard):
    Health Check(ocvpn):
    Seq(1 _OCVPN2-0a): state(alive), packet-loss(0.000%) latency(0.364), jitter(0.028) sla_map=0x0
    Seq(2 _OCVPN2-0b): state(alive), packet-loss(0.000%) latency(0.287), jitter(0.026) sla_map=0x0
    Seq(3 _OCVPN2-1a): state(dead), packet-loss(100.000%) sla_map=0x0
    Seq(4 _OCVPN2-1b): state(dead), packet-loss(100.000%) sla_map=0x0
    Seq(4 _OCVPN2-1b_0): state(alive), packet-loss(0.000%) latency(0.289), jitter(0.029) sla_map=0x0

SD-WAN integration with OCVPN

OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members. Users can configure SD-WAN health checks and service rules to direct traffic over the OCVPN tunnels.

The following example uses a dual hub and spoke topology. Each hub and spoke has two WAN link connections to the ISP. The spokes generate two IPsec tunnels to each hub (four tunnels in total). BGP neighbors are established over each tunnel and routes from the hubs and other spokes learned from all neighbors, which forms an ECMP scenario. All tunnels are placed as SD-WAN members, so traffic can be distributed across tunnels based on the configured SD-WAN service rules.

To integrate SD-WAN with OCVPN in the GUI:
  1. Configure the primary hub:
    1. Go to VPN > Overlay Controller VPN and set the Status to Enable.
    2. For Role, select Primary Hub.
    3. Enter the WAN interfaces (port15 and port16) and tunnel IP allocation block (10.254.0.0/16).
      Note

      The WAN interface is position sensitive, meaning a tunnel will be created with the first position interface on the hub to the first position interface on the spoke, and so on. In this example, FGT_A (primary hub) will create two tunnels with FGT_C (spoke):

      • FGT_A port15 <==> FGT_C internal1
      • FGT_A port16 <==> FGT_C internal2
    4. Enable Auto-discovery shortcuts.
    5. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN members if SD-WAN is enabled.
  2. Configure the overlays on the primary hub:
    1. In the Overlays section, click Create New.
    2. Enter a name and add the local interface (port2). Note the overlay is either based on local subnets or local interfaces, but not both.

      By default, inter-overlay traffic is not enabled. Toggle Allow traffic from other overlays to enable it.

    3. Click OK and repeat these steps to create the second overlay (loop1).

    4. Click Apply.

  3. Configure the secondary hub with the same settings as the primary hub.
  4. Configure the spoke:
    1. Go to VPN > Overlay Controller VPN and set the Status to Enable.
    2. For Role, select Spoke.
    3. Enter the WAN interfaces (internal1 and internal2).
    4. Enable Auto-discovery shortcuts.
    5. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN members if SD-WAN is enabled.
    6. Configure the overlays.
      Note

      The overlay names on the spokes must match the hub for the traffic to be allowed through the same overlay.

    7. Click Apply.

  5. Configure the other spoke with the same settings.
  6. On a spoke, go to Network > SD-WAN Zones to view the configuration generated by OCVPN.

    Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface. Each policy will define the proper local and remote networks for its source and destination addresses.

To integrate SD-WAN with OCVPN in the CLI:
  1. Configure the primary hub:
    config vpn ocvpn
        set role primary-hub
        set sdwan enable    
        set wan-interface "port15" "port16"   
        set ip-allocation-block 10.254.0.0 255.255.0.0   
        config overlays
            edit "overlay1"
                config subnets
                    edit 1
                        set type interface
                        set interface "port2"
                    next
                end
            next
            edit "overlay2"
                config subnets
                    edit 1
                        set type interface
                        set interface "loop1"
                    next
                end
            next
        end
    end
  2. Configure the secondary hub with the same settings as the primary hub.
  3. Configure the spoke:
    config vpn ocvpn
        set status enable
        set sdwan enable
        set wan-interface "internal1" "internal2"
        config overlays
            edit "overlay1"
                config subnets
                    edit 1
                        set type interface
                        set interface "wan2"
                    next
                end
            next
            edit "overlay2"
                config subnets
                    edit 1
                        set type interface
                        set interface "loop1"
                    next
                end
            next
        end
    end
  4. Configure the other spoke with the same settings.
  5. Configure SD-WAN:
    config system sdwan
        set status enable
        config members
            edit 1
                set interface "_OCVPN2-0a"
            next
            edit 2
                set interface "_OCVPN2-0b"
            next
            edit 3
                set interface "_OCVPN2-1a"
            next
            edit 4
                set interface "_OCVPN2-1b"
            next
        end
    end

    Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface. Each policy will define the proper local and remote networks for its source and destination addresses.

    Note

    If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To verify the integration is working after the ADVPN shortcut is triggered:
  1. Check the routing table on the spoke:
    FGT_C # get router info routing-table all
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    S*      0.0.0.0/0 [10/0] via 172.16.17.2, internal1
                      [10/0] via 172.16.18.2, internal2
    B       10.1.100.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
    B       10.1.200.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
    B       10.2.100.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
    B       10.2.200.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
    B       10.254.0.0/16 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:15
                          [200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:15
                          [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
                          [200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
    C       10.254.0.0/21 is directly connected, _OCVPN2-0a
    C       10.254.0.1/32 is directly connected, _OCVPN2-0a
    C       10.254.8.0/21 is directly connected, _OCVPN2-0b
    C       10.254.8.1/32 is directly connected, _OCVPN2-0b
    C       10.254.64.0/21 is directly connected, _OCVPN2-1a
    C       10.254.64.1/32 is directly connected, _OCVPN2-1b_0 <==shortcut tunnel
    C       10.254.64.2/32 is directly connected, _OCVPN2-1a
    C       10.254.72.0/21 is directly connected, _OCVPN2-1b
    C       10.254.72.2/32 is directly connected, _OCVPN2-1b
                           is directly connected, _OCVPN2-1b_0
    C       172.16.17.0/24 is directly connected, internal1
    C       172.16.18.0/24 is directly connected, internal2
    C       172.16.200.0/24 is directly connected, wan1
    C       192.168.1.0/24 is directly connected, internal
    C       192.168.4.0/24 is directly connected, wan2
    B       192.168.5.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                           [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                           [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                           [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                           [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                           [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
                           [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                           [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
    C       192.168.44.0/24 is directly connected, loop1
    B       192.168.55.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                            [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                            [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
                            [200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
                            [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                            [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
                            [200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
                            [200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
  2. Check the VPN tunnel state:
    FGT_C # diagnose vpn tunnel list
    
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=_OCVPN2-1b_0 ver=2 serial=1c 172.16.18.3:0->172.16.15.4:0 dst_mtu=1500
    bound_if=9 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc  accept_traffic=1 overlay_id=4
    
     parent=_OCVPN2-1b index=0
    proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=r/2
    stat: rxp=641 txp=1025 rxb=16436 txb=16446
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-1b proto=0 sa=1 ref=3 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=42650/0B replaywin=1024
           seqno=407 esn=0 replaywin_lastseq=00000280 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=43186/43200
      dec: spi=90f03d9d esp=aes key=16 6cb33685bbc67d5c85488e0176ecf7b0
           ah=sha1 key=20 7d11b3babe62c840bf444b7b1f637b4324722a71
      enc: spi=7bc94bda esp=aes key=16 b4d8fc731d411eb24448b4077a5872ca
           ah=sha1 key=20 b724064d827304a6d80385ed4914461108b7312f
      dec:pkts/bytes=641/16368, enc:pkts/bytes=2053/123426
      npu_flag=03 npu_rgwy=172.16.15.4 npu_lgwy=172.16.18.3 npu_selid=1f dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-0a ver=2 serial=18 172.16.17.3:0->172.16.13.1:0 dst_mtu=1500
    bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=1
    
    proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2
    stat: rxp=1665 txp=2922 rxb=278598 txb=70241
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-0a proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
           seqno=890 esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42899/43200
      dec: spi=90f03d95 esp=aes key=16 a6ffcc197bb1b46ec745d0b595cdd69a
           ah=sha1 key=20 8007c134e41edf282f95daf9c9033d688ef05ccc
      enc: spi=a1bf21bf esp=aes key=16 ead05be389b0dec222f969e2f9c46b1d
           ah=sha1 key=20 b04105d34d4b0e61b018f2e60591f9b1510783bb
      dec:pkts/bytes=1665/278538, enc:pkts/bytes=4237/265074
      npu_flag=03 npu_rgwy=172.16.13.1 npu_lgwy=172.16.17.3 npu_selid=1b dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-1a ver=2 serial=1a 172.16.17.3:0->172.16.11.1:0 dst_mtu=1500
    bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=3
    
    proxyid_num=1 child_num=0 refcnt=17 ilast=0 olast=0 ad=r/2
    stat: rxp=1 txp=2913 rxb=16376 txb=69642
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=5
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-1a proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41653/0B replaywin=1024
           seqno=887 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42900/43200
      dec: spi=90f03d9b esp=aes key=16 ee03f5b0f617a26c6177e91d60abf90b
           ah=sha1 key=20 f60cbbc4ebbd6d0327d23137da707b7ab2dc49e6
      enc: spi=a543a7d3 esp=aes key=16 1d37efab13a5c0347b582b2198b15cb8
           ah=sha1 key=20 427ee4c82bac6f26f0bcabfe04328c7f57ce682e
      dec:pkts/bytes=1/16316, enc:pkts/bytes=4229/264036
      npu_flag=03 npu_rgwy=172.16.11.1 npu_lgwy=172.16.17.3 npu_selid=1d dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-0b ver=2 serial=19 172.16.18.3:0->172.16.14.1:0 dst_mtu=1500
    bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=2
    
    proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2
    stat: rxp=1665 txp=2917 rxb=278576 txb=69755
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-0b proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
           seqno=88b esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42899/43200
      dec: spi=90f03d96 esp=aes key=16 9d7eb233c1d095b30796c3711d53f2fd
           ah=sha1 key=20 d8feacd42b5e0ba8b5e38647b2f2734c94644bd1
      enc: spi=a1bf21c0 esp=aes key=16 d2c0984bf86dc504c5475230b24034f0
           ah=sha1 key=20 3946e4033e1f42b0d9a843b94448f56fd5b57bee
      dec:pkts/bytes=1665/278516, enc:pkts/bytes=4233/264411
      npu_flag=03 npu_rgwy=172.16.14.1 npu_lgwy=172.16.18.3 npu_selid=1c dec_npuid=1 enc_npuid=1
    ------------------------------------------------------
    name=_OCVPN2-1b ver=2 serial=1b 172.16.18.3:0->172.16.12.1:0 dst_mtu=1500
    bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1 overlay_id=4
    
    proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=0 ad=r/2
    stat: rxp=1 txp=2922 rxb=16430 txb=70173
    dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=4
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-1b proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41656/0B replaywin=1024
           seqno=890 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
      life: type=01 bytes=0/0 timeout=42903/43200
      dec: spi=90f03d9c esp=aes key=16 a655767c1ed6cff4575857eb3981ad81
           ah=sha1 key=20 bfc2bccd7103a201be2641d4c6147d437d2c3f70
      enc: spi=a543a7d4 esp=aes key=16 7221b814e483165b01edfdc8260d261a
           ah=sha1 key=20 d54819643c2f1b20da2aea4282d50a1f1bc1d72a
      dec:pkts/bytes=1/16370, enc:pkts/bytes=4238/265164
      npu_flag=03 npu_rgwy=172.16.12.1 npu_lgwy=172.16.18.3 npu_selid=1e dec_npuid=1 enc_npuid=1
  3. Check the SD-WAN state:
    FGT_C # diagnose sys sdwan health-check
    Health Check(Default_DNS):
    Health Check(Default_Office_365):
    Health Check(Default_Gmail):
    Health Check(Default_AWS):
    Health Check(Default_Google Search):
    Health Check(Default_FortiGuard):
    Health Check(ocvpn):
    Seq(1 _OCVPN2-0a): state(alive), packet-loss(0.000%) latency(0.364), jitter(0.028) sla_map=0x0
    Seq(2 _OCVPN2-0b): state(alive), packet-loss(0.000%) latency(0.287), jitter(0.026) sla_map=0x0
    Seq(3 _OCVPN2-1a): state(dead), packet-loss(100.000%) sla_map=0x0
    Seq(4 _OCVPN2-1b): state(dead), packet-loss(100.000%) sla_map=0x0
    Seq(4 _OCVPN2-1b_0): state(alive), packet-loss(0.000%) latency(0.289), jitter(0.029) sla_map=0x0