Technical Tip: Reason behind why the net-device 'enable' is not supported on the HUB with SD-WAN

Description

This article explains why the net-device 'enable' option is not supported on the HUB config for a dial-up tunnel with SD-WAN.

Scope

FortiGate.

Solution

A dial-up tunnel, as shown below, has been created, acting as a HUB. 

config vpn ipsec phase1-interface
    edit "Ipsec-dialup"
        set type dynamic
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set dpd on-idle
        set comments "VPN: Ipsec-dialup (Created by VPN wizard)"
        set wizard-type hub-fortigate-auto-discovery
        set auto-discovery-sender enable
        set psksecret ENC *****
    next
end

A virtual interface 'Ipsec-dialup' has been a part of the SD-WAN zone 'virtual-wan-link'.

When attempting to enable the 'net-device', it will show the following error:

config vpn ipsec phase1-interface

(phase1-interface) # edit Ipsec-dialup

(Ipsec-dialup) # set net-device enable

This interface is used by vwl.
node_check_object fail! for net-device enable

value parse error before 'enable'
Command fail. Return code -23

The following image confirms the error on the Firewall GUI:

The 'net-device enable' feature is not supported on the HUB device with SD-WAN enabled because when 'net-device' is enabled, dynamic interfaces are created for each dial-up tunnel. This conflicts with the SD-WAN functionality, where all dial-up tunnels must share the same interface.

Therefore, to ensure proper tunnel selection based on the tunnel search method, 'net-device' needs to be disabled to allow adding the tunnel in the SD-WAN zone.

Related article:
Technical Tip: Unable to add IPsec Dial-up interface in an SD-WAN Zone