Fortinet white logo
Fortinet white logo

FortiGate-7000E Administration Guide

SD-WAN with multiple IPsec VPN tunnels

SD-WAN with multiple IPsec VPN tunnels

To support SD-WAN with IPsec VPN, the IPsec VPN tunnel configuration of all IPsec VPN tunnels that are members of the same SD-WAN zone in the same VDOM must send traffic to the same FPM. This means the ipsec-tunnel-slot configuration of the IPsec VPN tunnel must include a specific FPM. Setting ipsec-tunnel-slot to master is not recommended, since the primary FPM can change. Setting ipsec-tunnel-slot to auto is not supported.

Please note the following limitations for this feature:

  • Auto negotiation must be enabled in the IPsec VPN phase 2 configuration for all IPsec tunnels added to an SD-WAN zone.

  • An SD-WAN zone can include a mixture of IPsec VPN interfaces and other interface types (for example, physical interfaces). If an SD-WAN zone contains an IPsec VPN interface, all traffic accepted by interfaces in that SD-WAN zone is sent to the same FPM, including traffic accepted by other interface types.

  • SD-WAN health checking is not supported for IPsec VPN SD-WAN members.

  • SD- WAN traffic information, including packet statistics, policy hit counts, and so on is not supported for IPsec VPN SD-WAN members.

SD-WAN with multiple IPsec VPN tunnels

SD-WAN with multiple IPsec VPN tunnels

To support SD-WAN with IPsec VPN, the IPsec VPN tunnel configuration of all IPsec VPN tunnels that are members of the same SD-WAN zone in the same VDOM must send traffic to the same FPM. This means the ipsec-tunnel-slot configuration of the IPsec VPN tunnel must include a specific FPM. Setting ipsec-tunnel-slot to master is not recommended, since the primary FPM can change. Setting ipsec-tunnel-slot to auto is not supported.

Please note the following limitations for this feature:

  • Auto negotiation must be enabled in the IPsec VPN phase 2 configuration for all IPsec tunnels added to an SD-WAN zone.

  • An SD-WAN zone can include a mixture of IPsec VPN interfaces and other interface types (for example, physical interfaces). If an SD-WAN zone contains an IPsec VPN interface, all traffic accepted by interfaces in that SD-WAN zone is sent to the same FPM, including traffic accepted by other interface types.

  • SD-WAN health checking is not supported for IPsec VPN SD-WAN members.

  • SD- WAN traffic information, including packet statistics, policy hit counts, and so on is not supported for IPsec VPN SD-WAN members.