Hi 

Trying to figure out how to setup sd-wan, failover or redundant connection from branch to HQ (running 6.0.4)

Situation is that we have sattelite connection (static ip and IPsec vpn to hq) onboard several vessels with a secondary 4G connection (dynamic ip and behind NAT, seconday IPsec to hq as dialin) that is being used close to shore. IPsec over 4G should have lowest static route distance because it is the best connection when available) 

It is the 4G connection that is giving me a headach, becauase on HQ is the IPsec setup as DialIn because connection (on vessel) is behind NAT. IPsec Dialin connection is at HQ Fortigate always showing status up in Interfaces, even it is not, so static routes is messing up traffic from HQ to vessel because these is with lowest distance and interface is having status up, so traffic is trying to be send throug connection that is not up (my assumption) 

I have one ip-sec dialin connection per branch 4g connection, setup with uniq peer id.

The DialIn IPsec connection is also not possible to be added into SD-Wan, if they was, then I could setup Performance SLA, in order to solve my problem up/down issue)

I have attached screenshot (static routes distance should be opposite in order to have desired configuration)

What would you do?

Your assistance in this matter is greatly appreciated!! ;o)

Best regards

Niels Christian Skovbo