Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RDM
New Contributor

Created on ‎11-14-2022 03:05 AM

SD-WAN conflicts with VPN SSL + IPSEC + VIP ?

Hello,

I'm trying to improve my setup.

 

I have a new Fortigate units with 2 ISP: 1 primary and 1 backup under FortiOS 7.2.3.

 

So I followed this https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/431448/sd-wan-overview in order to add my wan1 and wan2 into virtual-wan-link. I configured a cost 0 on WAN1 and a cost 10 on WAN.

 

I added the default static route through virtual-wan-link. However, I cannot manage the distance and priority of this route and I'm not sure my VPNs (IPSEC + SSL) will continue to work.

 

When I created a VPN (without SDWAN), I used to create a static route to the VPN interface with a lower distance than my default route.

 

But now, I can only create a static route with the same priority. Will it work ?

 

I read this https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984... but not sure if it's mandatory ?

 

Unfortunately I cannot test right now. I need to create and prepare my setup before going into production. So i wonder if anyone already experiment a setup like mine:

  • SD WAN primary/backup for WAN1 and WAN2
  • SSL VPN / IPSEC / VIP on WAN1 ONLY

Do I need to configure something more or review my priority to get my VPNs working along my new SD Wan setup.

 

Let me know if you need more info or if it's not clear.

 

Thanks !

Labels:
3442
0 Kudos
1 Solution
Julien87
Contributor II
In response to RDM

Created on ‎11-21-2022 06:22 AM

Hi,

 

After our exchange in MP, the fortigate use the most strict route for your trafic vpn in your routing table.

 

You can close this post, if it's okay for you

 

have a nice day

 

 

Julien

View solution in original post

Julien
3398
0 Kudos
5 REPLIES 5
Julien87
Contributor II

Created on ‎11-14-2022 04:02 AM

Hello RDM,

 

I have almost the same configuration as you, but with a centralized Internet output and advpn.
I recommend that you use the SDWAN Rules and SLA as indicated in the last link you put in order to ensure that the flow goes through the link you want.
I use this feature to distribute my load between my 2 vpn links for example.

 

 

Julien
Julien
3435
0 Kudos
RDM
New Contributor
In response to Julien87

Created on ‎11-14-2022 04:28 AM

Hi Julien,

Thanks for your answer.

So I would need to configure SD WAN rules for my IPSEC + VPN SSL + VIP traffic ?

However, I don't know what to create ? Do you have any example for  me ?

 

3433
0 Kudos
Julien87
Contributor II
In response to RDM

Created on ‎11-14-2022 04:31 AM

Hi, SdWan rules only for your outboung traffic.  VPN SSL or VIP are allowed in your wan1 interface.

 

Best Regards,

 

Julien

 

Julien
Julien
3432
0 Kudos
RDM
New Contributor
In response to Julien87

Created on ‎11-14-2022 04:39 AM

Ok same for IPSEC, i guess ? So I don't need to do anything ?

What about my static route to my remote subnet which cannot be "before" my default one ?

 

 

3431
0 Kudos
Julien87
Contributor II
In response to RDM

Created on ‎11-21-2022 06:22 AM

Hi,

 

After our exchange in MP, the fortigate use the most strict route for your trafic vpn in your routing table.

 

You can close this post, if it's okay for you

 

have a nice day

 

 

Julien
Julien
3399
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.