IPSec VPN tunnels inside versus outside SD-WAN - benefits?
Good day everyone,
I'd be glad to hear your input on - what are benefits/disadvantages of IPSec site-to-site 2 tunnels between 2 Fortigates, each having 2 ISP links inside/outside SD-WAN membership? SD-WAN config including both ISP links for Internet clear traffic exists on both Fortigates. Both Fortigates run 6.4.4, all ISP links are of the same bandwidth.
I am not going to do Application/Destination-based load-balancing, basic ECMP load-sharing via OSPF/BGP running on both tunnels will be just fine.
Do I miss something ? Will it cause troubles to have SD-WAN and IPsec configs unrelated to each other (like IPSec packets coming via ISP A but replies being sent via ISP-B)?
I'd like to know other's opinions and insights too for this. But my guess would be it wouldn't hurt putting VPNs in SD-WAN other than it might take some extra CPU time. But then it would be doing just the same as you set up an IPsec aggregate, so probably won't much different if any. Since 6.4 has zones, it's a little easier if we decided to use SD-WAN later for VPNs when the benefit becomes clearer.