SSL-VPN with Loopback Interface

That should be doable and has been done numerous times. Nothing is complex of different except you need a policy to get or allow access to the loopback interface since it's a loopback ;)

 

Here's what we've have done

 

e.g

 

/* create a loopback

 

config system interface

    edit "loop"

        set vdom "root"

        set ip 192.168.23.1 255.255.255.255

        set type loopback

        set snmp-index 9

    next

end

 

/* install policy on the interface(s) to get to the sslvpn listener basically the port that you need or using for sslvpn

 

/* custom service

 

FWHELBARCESP01 # show firewall service custom tcp8443 

config firewall service custom

    edit "tcp8443"

        set tcp-portrange 8443

    next

end

 

 

/ * policy to get to sslvpn  

FWHELBARCESP01 # show firewall policy 334

config firewall policy

    edit 334

        set uuid 4a75937a-b89b-51eb-4000-117989a354a2

        set srcintf "internal"

        set dstintf "loop"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "tcp8443"

    next

end

 

and lastly the sslvpn policy 

 

FWHELBARCESP01 # show firewall policy 1992

config firewall policy

    edit 1992

        set name "NET56263SSLVPN"

        set uuid 12b8d2d0-b89b-51eb-8e45-ad8027b7c710

        set srcintf "ssl.root"

        set dstintf "internal"

        set srcaddr "REDE_GROUP10"

        set dstaddr "wifi-hub"

        set action accept

        set schedule "always"

        set service "EMPRESA_SERVICIOS_GROUPO1"

        set nat enable

        set users "PAGO_PROCESADORES"

    next

end

 

just build the SSLVPN setting like any old SSLVPN but your interface is the named "loopback" interfaces that you create. Then advertise that into OSPF if your running a IGP routing protocol.

 

 

Ken Felix