SD-WAN with multiple IPsec VPN tunnels
To support SD-WAN with IPsec VPN, the IPsec VPN tunnel configuration of all IPsec VPN tunnels that are members of the same SD-WAN zone in the same VDOM must send traffic to the same FPC. This means the ipsec-tunnel-slot
configuration of the IPsec VPN tunnel must include a specific FPC. Setting ipsec-tunnel-slot
to master
is not recommended, since the primary FPC can change. Setting ipsec-tunnel-slot
to auto
is not supported.
SD-WAN with multiple IPsec VPN tunnels on a FortiGate 6000F has the following limitations:
-
Auto negotiation must be enabled in the IPsec VPN phase 2 configuration for all IPsec tunnels added to an SD-WAN zone.
-
An SD-WAN zone can include a mixture of IPsec VPN interfaces and other interface types (for example, physical interfaces). If an SD-WAN zone contains an IPsec VPN interface, all traffic accepted by interfaces in that SD-WAN zone is sent to the same FPC, including traffic accepted by other interface types.
-
SD-WAN health checking is not supported for IPsec VPN SD-WAN members.
-
SD- WAN traffic information, including packet statistics, policy hit counts, and so on is not supported for IPsec VPN SD-WAN members.