Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SDWAN feature for Internet and VPN IPsec trafic


I am trying to know if it is possible to do SDWAN for Internet trafic and trafic going through two IPsec tunnels (the endpoint on the other side will be MX Meraki).  The remote subnets for the two IPsec tunnels will be the same so if i am configuring static routes for this same subnet with as next hop the two tunnel interfaces (route-based vpn), I do not think I will be able to loadbalance the trafic, there will be always a preferred route and I will not have atcive-active links for VPN IPsec trafic. But with the SDWAN feature, maybe there is a subtility which can make this possible :) So the purpose is to loadbalance the Internet trafic and VPN trafic between the two WAN interfaces thanks to the SDWAN feature. Besides, I do not have a way to test it for the moment so this is just a theoritical question.


Thanks in advance,



1 Solution

Hi Thomas_AA


Yes, you can config your two IPSEC link as active-active to load-balance your traffic by SD-WAN algorithm.


Please take a look at this document which is very helpful http://cookbook.fortinet....oyment-example-expert/


For detailed configuration, if you need, please put specific requirement and topology here. Keep in touch!

View solution in original post


Hi Eric,


Can you explain to me the notion of VIP here ? For me, the term VIP for Fortigate is for destination NAT. 

And what about the route configuration ? Do I still need to configure two static routes for ?

When you wrote "IP address for your remote site", you mean the Public IP of the remote firewall ?


Thanks again for your help


yes, you are right. It's dst nat.


On fgt-a, it dst-nat the internal subnet as

On fgt-b, it dst-nat the internal subnet as


So you don't need,actually you would not be able to, route between your two edge devices. If you configure a static route for, your edge device couldn't tell which interface to go for, internal or external.


Because you need to let the edge device knows how to get the right destination.

If you you didn't do the dst-nat, the edge device will be confused when it received an packet with dst as your internal subnet. Right?

Imagine that if you have two same subnets in different locations, on your edge device, would there be two routes, with same dst but different out going device? it doesn't make sense.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors