SD-WAN integration with OCVPN

OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members. Users can configure SD-WAN health checks and service rules to direct traffic over the OCVPN tunnels.

The following example uses a dual hub and spoke topology. Each hub and spoke has two WAN link connections to the ISP. The spokes generate two IPsec tunnels to each hub (four tunnels in total). BGP neighbors are established over each tunnel and routes from the hubs and other spokes learned from all neighbors, which forms an ECMP scenario. All tunnels are placed as SD-WAN members, so traffic can be distributed across tunnels based on the configured SD-WAN service rules.

To integrate SD-WAN with OCVPN in the GUI:
  1. Configure the primary hub:
    1. Go to VPN > Overlay Controller VPN and set the Status to Enable.
    2. For Role, select Primary Hub.
    3. Enter the WAN interfaces (port15 and port16) and tunnel IP allocation block (

      The WAN interface is position sensitive, meaning a tunnel will be created with the first position interface on the hub to the first position interface on the spoke, and so on. In this example, FGT_A (primary hub) will create two tunnels with FGT_C (spoke):

      • FGT_A port15 <==> FGT_C internal1
      • FGT_A port16 <==> FGT_C internal2
    4. Enable Auto-discovery shortcuts.
    5. Enable Add OCVPN tunnels to SD-WAN. The IPsec