can create remote-access ipsec vpn on a floating public IP address?

Forum|Forum|7 months ago
October 6, 2025
1 reply
681 views

Hi, we need to config remote-access ipsec vpn on fortigate. can configure using a floating public IP address?

the routing for this floating IP is configured properly, should be routed to the firewall via internet and local internet router. Can someone please advise? thanks in advance!

FortiGate

Best answer by distillednetwork

Are you referring to a floating IP address in a cloud environment, or do you have a public IP address you can advertise out through two ISPs via BGP?

If it is the latter, it maybe possible to create an IPSEC tunnel off of a loopback interface, then create a VIP that is the public IP address you advertise via BGP and mapped to the loopback. Just keep in mind when using a loopback for ipsec you could lose NPU offloading. You can check your device with this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Information-about-IPsec-on-loopback-interface-and/ta-p/208677

distillednetworkAnswer

Explorer II

Are you referring to a floating IP address in a cloud environment, or do you have a public IP address you can advertise out through two ISPs via BGP?

If it is the latter, it maybe possible to create an IPSEC tunnel off of a loopback interface, then create a VIP that is the public IP address you advertise via BGP and mapped to the loopback. Just keep in mind when using a loopback for ipsec you could lose NPU offloading. You can check your device with this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Information-about-IPsec-on-loopback-interface-and/ta-p/208677

WQTpicapAuthor

New Member

Hi @distillednetwork , thank you so much for your advice. yes, we have public IP block which can be advertised to ISP. what is NPU? what is the impact if losing NPU offloading?