Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yurisk
Contributor III

IPSec VPN tunnels inside versus outside SD-WAN - benefits?

Good day everyone, 

I'd be glad to hear your input on - what are benefits/disadvantages of IPSec site-to-site 2 tunnels between 2 Fortigates, each having 2 ISP links inside/outside SD-WAN membership? SD-WAN config including both ISP links for Internet clear traffic exists on both Fortigates. Both Fortigates run 6.4.4, all ISP links are of the same bandwidth.

I am not going to do Application/Destination-based load-balancing, basic ECMP load-sharing via OSPF/BGP running on both tunnels will be just fine. 

Do I miss something ? Will it cause troubles to have SD-WAN and IPsec configs unrelated to each other (like IPSec packets coming via ISP A but replies being sent via ISP-B)?

Thanks

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
2 REPLIES 2
Toshi_Esumi
Esteemed Contributor

I'd like to know other's opinions and insights too for this. But my guess would be it wouldn't hurt putting VPNs in SD-WAN other than it might take some extra CPU time. But then it would be doing just the same as you set up an IPsec aggregate, so probably won't much different if any. Since 6.4 has zones, it's a little easier if we decided to use SD-WAN later for VPNs when the benefit becomes clearer.

emnoc
Esteemed Contributor III

Even i you did not put both of them in the same SDWAN grup, you could add them in a group 

 

e.g

vpn1 

vpn2

 

And later move them into a new group. 

 

As far as benefits

 

1> easier or less policy

2> transparent load balance

3> flexibile rules to route traffic by sla or application type

4> a simpler process imho if a vpn failure happens

 

 

YMMV

Ken Felix

PCNSE 

NSE 

StrongSwan