IPsec tunnel initiating on the outside to loopback

Question

So we currently have some IPsec tunnels that initate both on the inside and on the outside using our outside interface.
We want to move this to a loopback instead, so that our ISP is more free to make changes on our outside interface.

We're using 1800F version 7.2.9.

I'm struggling to understand if I have to do anything after we moved the tunnels to the loopback, so that they can both be initiated from the inside aswell as the outside.

I was thinking if I put the loopback interface in the same zone as outside interface and allow intra-zone traffic, is that a good sulotion that will work?

My other idea would be to create a firewall policy, that allows traffic coming from the outside interface, going into the loopback. Allowing remote VPN address as source.
If so, is it enough to allow IKE traffic on this rule, or do we need ESP aswell?

Thanks you!

andhau · Answer

So if someone else is looking for this, I finally found an article explaining it.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-between-2-FortiGates-using-a-loopback/ta-p/344806

What they are doing is using firewall policies.

What I'm wondering now is, is it custom to use both src and dst interface/address in the same rule?
Example from the guide:

edit 2
set name "Traffic_for_loopback_IPSEC"
set uuid f5a16342-7b79-51ef-6e44-02c65af6bb78
set srcintf "loopback_FG1" "port1"
set dstintf "loopback_FG1" "port1"
set action accept
set srcaddr "h-10.10.11.1-32" "h-10.10.9.1-32"
set dstaddr "h-10.10.9.1-32" "h-10.10.11.1-32"
set schedule "always"
set service "ESP" "IKE"
next

Doesn't this also allow 10.10.11.1-32 to speak to 10.10.11.1.32 aswell?
And port1 to speak to port1?
Maybe this isn't an issue, but wouldn't it be better to split them into two separate policies?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded