Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
montyadams
Staff
Staff

Created on ‎07-22-2025 06:21 AM Edited on ‎08-01-2025 07:45 AM By Moderator

Article Id 402801

Technical Tip: Configuring SD-WAN with redundant Site-to-Site VPN between multiple FortiGate sites

Description This article describes how to configure FortiGate SD-WAN with redundant site-to-site IPsec VPN between four sites (Site1, Site2, Site3, Site4). This implementation provides high availability, automatic failover, and dynamic traffic steering using dual WAN connections at each site.
Scope FortiGate devices running SD-WAN with IPsec VPN configured between multiple sites, using dual WAN links and health checks.
Solution

Topology Overview.

  • Each FortiGate site (Site1, Site2, Site3, Site4) is configured with two WAN interfaces.
  • Site4 acts as the SD-WAN hub or data center.
  • Redundant IPsec VPN tunnels are established over both WAN links between all sites.
  • SD-WAN health checks and rules manage dynamic routing and failover.

 

                    ┌─────────────┐
                    │   Site4     │
                    │   (Hub/DC)  │
                    └─────┬───────┘
                          │
                Primary & Backup Links
                          │
     ┌────────────┬───────┴────────────┬─────────────┐
     │            │                    │             │
 ┌───▼───┐    ┌────▼────┐         ┌────▼────┐   ┌────▼────┐
 │ Site1 │    │ Site2   │         │ Site3   │   │ Future  │
 │       │    │         │         │         │   │ Site    │
 └───────┘    └─────────┘         └─────────┘   └─────────┘

 

  1. SD-WAN Member Configuration.

 

config system virtual-wan-link
    config members
        edit 1
            set interface "wan1"
            set gateway 1.1.1.1
        next
        edit 2
            set interface "wan2"
            set gateway 2.2.2.2
        next
    end
end

 

  1. IPsec VPN Tunnel Configuration (Site1 to Site4).

 

config vpn ipsec phase1-interface
    edit "Site1_to_Site4_wan1"
        set interface "wan1"
        set remote-gw <Site4_wan1_ip>
        set psksecret <shared_secret>
    next
    edit "Site1_to_Site4_wan2"
        set interface "wan2"
        set remote-gw <Site4_wan2_ip>
        set psksecret <shared_secret>
    next
end

 

  1. Adding IPsec interfaces to SD-WAN.

 

config system virtual-wan-link
    config members
        edit 3
            set interface "Site1_to_Site4_wan1"
            set type vpn
        next
        edit 4
            set interface "Site1_to_Site4_wan2"
            set type vpn
        next
    end
end

 

  1. Performance SLA Health Check.

 

config system sdwan
    config health-check
        edit "Site4_probe"
            set server "<remote_local_IP>"
            set source "<local_IP>"
            set protocol ping
            set members 3 4
        next
    end
end

 

  1. SD-WAN Rule to Route VPN Traffic.

 

config system sdwan
    config service
        edit 1
            set name "To_Site4"
            set dst "10.10.10.0/24"
            set priority-members 3 4
            set health-check "Site4_probe"
        next
    end
end

 

  1. Static Route via SD-WAN.

 

config router static
    edit 0
        set dst 10.10.10.0/24
        set device "sdwan"
    next
end

 

Best practices:

  • Each site should maintain at least two IPsec VPN tunnels to Site4 over separate WAN links.
  • Performance SLA ensures path failover based on latency and packet loss.
  • BGP over IPsec may be used for large-scale deployments with dynamic routing.
  • Product names such as FortiManager and FortiGuard must always be written in full form.
  • ADVPN allows the central hub to dynamically inform spokes about a better path for traffic between two spokes.
1178
Suggest New Article
Article Feedback
Comments
dferiadelgado
Staff
Staff
‎07-22-2025 09:25 AM

Great job!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.