Hi Fortinet community,
I'm running ADVPN with BGP on loopback and I'm questioning whether combining mode-cfg enable with exchange-ip-addr4 on the hub's dialup phase1 is a bad design decision.
Here's my setup: the hub has a dynamic dialup phase1 where tunnels are created as spokes connect. With config mode enabled, tunnel interfaces get IPs from a pool (e.g., 10.10.200.x) I'm also using exchange-ip to to inject the loopback (bgp peering )as a reachable route via IKE.
My concern is that tunnels are now identified by random tunnel IDs instead of the loopback IP used for BGP. Since net-device disable on the hub side means we rely on tunnel IDs for route-to-tunnel mapping (replacing the legacy net-device logic), I'm wondering if having config mode assign arbitrary pool IPs creates a disconnect that causes problems downstream. Because if config mode was disabled tunnel id will simply be the ip sent via the exchange thus the next hop in bgp received routes and so the mapping would be direct.
Am asking because I've noticed some weird behavior: FortiGate sometimes selects the wrong tunnel interface even when SD-WAN SLA rules should prevent it, and the static routes learned from exchange-ip-addr4 aren't always injected into the kernel routing table. I'm not sure if these issues stem from the config mode + exchange combination or if they're unrelated.
Is this setup fundamentally problematic, or is it just a matter of proper configuration? Has anyone encountered similar issues where the tunnel identification (by random IP) conflicts with the BGP next-hop resolution (by loopback IP)?
Thank you in advance sorry if the post is too long !