Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Valued Contributor

IPSec VPN tunnels inside versus outside SD-WAN - benefits?

Good day everyone, 

I'd be glad to hear your input on - what are benefits/disadvantages of IPSec site-to-site 2 tunnels between 2 Fortigates, each having 2 ISP links inside/outside SD-WAN membership? SD-WAN config including both ISP links for Internet clear traffic exists on both Fortigates. Both Fortigates run 6.4.4, all ISP links are of the same bandwidth.

I am not going to do Application/Destination-based load-balancing, basic ECMP load-sharing via OSPF/BGP running on both tunnels will be just fine. 

Do I miss something ? Will it cause troubles to have SD-WAN and IPsec configs unrelated to each other (like IPSec packets coming via ISP A but replies being sent via ISP-B)?



Yuri  blog: All things Fortinet, no ads.
Yuri blog: All things Fortinet, no ads.
Esteemed Contributor III

I'd like to know other's opinions and insights too for this. But my guess would be it wouldn't hurt putting VPNs in SD-WAN other than it might take some extra CPU time. But then it would be doing just the same as you set up an IPsec aggregate, so probably won't much different if any. Since 6.4 has zones, it's a little easier if we decided to use SD-WAN later for VPNs when the benefit becomes clearer.

Esteemed Contributor III

Even i you did not put both of them in the same SDWAN grup, you could add them in a group 






And later move them into a new group. 


As far as benefits


1> easier or less policy

2> transparent load balance

3> flexibile rules to route traffic by sla or application type

4> a simpler process imho if a vpn failure happens




Ken Felix




PCNSE NSE StrongSwan
Top Kudoed Authors