Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

WAN Design using iBGP SD-WAN (optional ADVPN),

Hi Guys,


Seeking some design assistance for a new network rollout (WAN Design) using Fortinet Fotigates. Im familiar with some of the aforementioned technology but not to the depth that would allow me to accomplish the design .


Im seeking some guidance on the interconnectivity betwen iBGP, SD-WAN and possible ADVPN. specifically related to the design below. If anyone would be able to lend some technical assistance / guidance based on their experience it would be greatly appreciated.


Based on the the below design:

  1. Is a transit gateway required to accomplish the below design from the island HUB to the Primary Hub ?

    a. Use EBGP Between ISLAND HUB AND Primary HUB eliminating the transit gateway altogether

         b. Use EBGP Between ISLAND HUB AND Transit gateway and NEXT HOP SELF (iBGP) on Transit gateway  to PRIMARY HUB

         c. EBGP Between ISLAND WAN AND BB transit gateway EBGP BB Transit gateway and BB Primary (Separate the AS completely)


What do you think may be the best / most viable option in this scenario ?



2. Im leaning towards not using ADVPN on the spokes because each spoke will have different providers:


 a. I understand based on research  that ADVPN can be accomplished on different underlays once the overlays utilize the same subnet – any confirmations or clarifications here

 b. Assuming that we utilize separate IPSEC Tunnels can I just configure my iBGP neighbor here and have it route through whichever tunnel SDWAN chooses ?

 c.  “configure my iBGP neighbor here and have it route” – Im assuming this would be automatic once SDWAN chooses the link to utilize once bgp neighbor config is correct – correct ?


Any guidance or support from anyone who understands the topics involved is greatly appreciated.


ISLAND_WAN Design_OL.png


Hello RoutedRob,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Stephen - Fortinet Community Team

From my understanding, your design intent falls under the category of multi-regional deployment for ADVPN. ADVPN feature on the Fortigate side is really just auto-discovery sender/receiver/forwarder. Disabling this auto-discovery setting on the ipsec settings determines whether you can use advpn or not which is basically just the shortcut tunnels forming spoke-to-spoke. 

You may find these documents helpful: 

Transit gateway is not required. You can just form an ipsec between Island and Primary hub using eBGP. Please note that only SDWAN is required to be configured for the ipsec tunnels on the Spoke side.

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors