FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 282186
Description This article describes how to convert an existing IPsec VPN to an SD-WAN member.
Scope All FortiGate versions.

The example outlined in this article will demonstrate how to achieve this.


To add an 'IPerf' IPsec VPN tunnel (one that exists already) as a part of an SD-WAN network, first ensure that there no active references to that tunnel.


Below, there are 4 active references to the 'IPerf' tunnel:




Selecting the reference section (e.g. selecting the number '4') will show the various places the VPN is being used currently. Remove the tunnel from all of those displayed references.




Here, the VPN is being used in firewall policies, the static route, and in the corresponding phase 2 setting.


Remove the 'IPerf' tunnel interface from the firewall policy and the static route initially.

(The policy/static route can be deleted, or the interface can be replaced with another dummy interface for the time being.)


Lastly, remove the reference to 'VPN IPsec Phase2 Interface' with the following CLI commands:


config vpn ipsec phase2-interface

delete "IPerf" <- Phase 2 name of the VPN tunnel.



Now, there are no active references.


Iperf(no ref).PNG


While attempting to create a new SD-WAN member, the 'IPerf' VPN shows up as a part of the available options.




Now, the VPN tunnel interface has been added as an SD-WAN member.