IPsec-based VPNs are nearly universal to all SD-WANs. Since an SD-WAN uses the public internet in addition to MPLS connections, a VPN or IPsec tunnel is required to, at the very least, ensure traffic is not interfered with between the sender and receiver.

This is done by:

Authenticating the sender, receiver, and packets being sent
Using encryption keys already shared by the hosts sending and receiving the data, or using public and private key encryption
Ensuring packets have not been tampered with by using the Encapsulating Security Payload (ESP) protocol
Confirming that the origin of packets is trusted through an Authentication Header (AH) that looks at the IP header
Visibility
A major benefit of SD-WANs over traditional WANs is the level of visibility into the network SD-WAN provides. Network administrators are able to manage and orchestrate the network centrally, monitoring traffic for inconsistencies. With this functionality, network administrators can ensure applications are performing sufficiently, troubleshoot network problems, and ensure security elements and policies are running correctly.

However, the degree of visibility depends on the SD-WAN vendor. Some vendors go down to the user/device level, while others only go to the application level. The information the SD-WAN gathers from the user, device, or application gives insight into whether the traffic is coming from a trusted or less trusted source.

how sd wan works