Hub SD-WAN Overlay phase1 Config

[k3ym0]

It is recommended to use on-demand DPD mode on dial-up servers (SD-WAN hub). With on-demand mode, FGT sends DPD probes if there is only outbound traffic through the tunnel, but not inbound. On-demand mode is more convenient on hubs because of the reduced overhead and in turn increased scalability.

config vpn ipsec phase1-interface
    edit "VPN1"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-demand   <---
        set network-overlay enable
        set network-id 1
        set ipv4-start-ip 10.10.10.1
        set ipv4-end-ip 10.10.10.252
        set ipv4-netmask 255.255.255.0
        set psksecret fortinet
        set dpd-retryinterval 60