Technical Tip: Configuring SD-WAN with redundant Site-to-Site VPN between multiple FortiGate sites

Topology Overview.

• Each FortiGate site (Site1, Site2, Site3, Site4) is configured with two WAN interfaces.
• Site4 acts as the SD-WAN hub or data center.
• Redundant IPsec VPN tunnels are established over both WAN links between all sites.
• SD-WAN health checks and rules manage dynamic routing and failover.

                    ┌─────────────┐                     │   Site4     │                     │   (Hub/DC)  │                     └─────┬───────┘                           │                 Primary & Backup Links                           │      ┌────────────┬───────┴────────────┬─────────────┐      │            │                    │             │  ┌───▼───┐    ┌────▼────┐         ┌────▼────┐   ┌────▼────┐  │ Site1 │    │ Site2   │         │ Site3   │   │ Future  │  │       │    │         │         │         │   │ Site    │  └───────┘    └─────────┘         └─────────┘   └─────────┘

1. SD-WAN Member Configuration.

config system virtual-wan-link     config members         edit 1             set interface "wan1"             set gateway 1.1.1.1         next         edit 2             set interface "wan2"             set gateway 2.2.2.2         next     end end

2. IPsec VPN Tunnel Configuration (Site1 to Site4).

config vpn ipsec phase1-interface     edit "Site1_to_Site4_wan1"         set interface "wan1"         set remote-gw <Site4_wan1_ip>         set psksecret <shared_secret>     next     edit "Site1_to_Site4_wan2"         set interface "wan2"         set remote-gw <Site4_wan2_ip>         set psksecret <shared_secret>     next end

3. Adding IPsec interfaces to SD-WAN.

config system virtual-wan-link     config members         edit 3             set interface "Site1_to_Site4_wan1"             set type vpn         next         edit 4             set interface "Site1_to_Site4_wan2"             set type vpn         next     end end

4. Performance SLA Health Check.

config system sdwan     config health-check         edit "Site4_probe"             set server "<remote_local_IP>"             set source "<local_IP>"             set protocol ping             set members 3 4         next     end end

5. SD-WAN Rule to Route VPN Traffic.

config system sdwan     config service         edit 1             set name "To_Site4"             set dst "10.10.10.0/24"             set priority-members 3 4             set health-check "Site4_probe"         next     end end

6. Static Route via SD-WAN.

config router static     edit 0         set dst 10.10.10.0/24         set device "sdwan"     next end

Best practices:

• Each site should maintain at least two IPsec VPN tunnels to Site4 over separate WAN links.
• Performance SLA ensures path failover based on latency and packet loss.
• BGP over IPsec may be used for large-scale deployments with dynamic routing.
• Product names such as FortiManager and FortiGuard must always be written in full form.
• ADVPN allows the central hub to dynamically inform spokes about a better path for traffic between two spokes.