I have a very similar situation from the below the below post that was started a year ago.
https://www.reddit.com/r/fortinet/comments/7ebztc/ipsec_vpn_w_sdwan/
Now, I have a remove site that is running SD-WAN to two ISPs. We are using it for features other than just load balancing. When I try and configure the VPN, the SD-WAN interface isn’t present. Is there a way to utilize the SD WAN interface? If not, what is the best approach so that the VPN can use both ISPs and load balance between the 2?
SD-Wan is fake interface - it can only be used with limited range of functionalities, mainly within firewall policies. From perspective of network related functionalities - like routing or VPN’s it doesn’t exists. You need to work with physical interfaces.
What kind of VPN are we talking about? If it’s site-to-site I would recommend creating two separate interface based IPSEC VPN’s (vti/gre over ipsec) and run OSPF or other routing protocol on top of them. Then you could utilize ECMP to evenly load balance flows. I have tested such setup recently (6.0.3) and works without issues.
6.2 beta has some functionality for this but I haven’t had a chance to try it out yet. It isn’t available in 6.0 so you have to specify the individual interface in the wizard. You could setup two tunnels and add them to the Sdwan interface and balance traffic over them if you wanted.
Create the VPNs on the physical interfaces then add the IPSec tunnel interfaces in to the SD-WAN group, then create your routing/policy, etc. referencing the SD-WAN interface. You should even be able to combine these with the actual outside interfaces within the SD-WAN group so that both WAN and INET traffic benefit from SD-WAN, and just rely on the routing via the “SD-WAN Rules” policy-based routing section to direct traffic appropriately (e.g. RFC1918 o/ IPSec with non-RFC1918 addresses egressing toward the Internet).
I haven’t used this personally, but it should be possible. Here’s how I’d set it up:
int3 and int4 are phy interfaces, whilst test and test1 are IPSec VPN interfaces. You may need to add /31 linknet addresses on the VPN tunnels themselves and specify these in the “gateway” portion of the SD-WAN config for it to work correctly, though I can’t lab this at the moment.
Note: Not SD-WAN specific, but you’ll want to blackhole your RFC1918 destined traffic so it doesn’t attempt to egress your INET interfaces in the event both IPSec tunnels are down.
