Sometimes, if a user attempts to add a dial-up IPsec tunnel in an SD-WAN zone, the following error message is displayed:

'Entry not found in data source. Value parse error before 'tunnel name'.

Entry not found in data source. Value parse error before 'tunnel name'

This happens if the 'net-device' feature is enabled on the dynamic tunnel. When 'net-device' is disabled, all dial-up tunnels share the same interface.

The tunnel selection process is based on the tunnel search method (This functionality was removed in v7.0+, and tunnel search is based on the tunnel ID). When a net-device is enabled, dynamic interfaces are created for each dial-up tunnel, and that is why it cannot be added to an SDWAN zone.

Once the net-device is disabled, the tunnel can be added to SD-WAN:

Config vpn ipsec phase1-interface

    edit "HUB"

        set type dynamic

        set interface "MPLS"

        set peertype one

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set dpd on-idle

        set peerid "test"

        set psksecret ENC yObE1MovZntFQTmFLLeD++eSbssuON20blaIFoBmlnjI1uD2925xy1vMrqsq/AwuiKiXD4Szs+w0pKf7fI8uvd6uNyuIjh+L5cUe

2cOzztc+Um67E6keNlvftNtLQHW/7bZClFBgb9npdPmKD/aItv7qT736wuxSXJVEgi44ePEgkFDXotZq5CuDFoe0ODRaJfYerg==

        set dpd-retryinterval 60

    next

end

If the option is not visible in the drop-down menu, try to add the interface via the CLI:

config system sdwan
    config members
        edit <new_id>
            set interface "dialup_tunnel_name"
            set zone "name_of_zone"
        next
    end
end

Related article: