Description |
This article describes how to configure FortiGate with IPSec VPN implanted on or bounded to the loopback interface. |
Scope | FortiGate v6.4, v7.2. |
Solution |
Sample configuration: IPSec VPN phase 1 bounded to the loopback interface.
config vpn ipsec phase1-interface edit "test_VPN" set interface "loopback0" set peertype any set proposal aes128-sha256 set remote-gw 10.200.200.200 set psksecret test123 end
In the above configuration sample, the remote gateway (remote-gw) was stated, but the local gateway (local-gw) was not and it’s usually not mandated/enforced since FortiGate has a way of retrieving it (unlike remote-gw which is impossible for FortiGate to guess). Whenever there is 'inbound' IKE traffic to FortiGate, the destination of such traffic is the local-gw IP.
If this IP is not expressly configured with 'set local-gw x.x.x.x', then the primary IP of the interface stated or referenced under 'IPSec phase-1 interface' configuration is used as local-gw IP.
If this local-gw is to be configured manually, it must be a primary or secondary IP on the referenced interface that was explained earlier.
Now the inbound IKE traffics are destined for the local-gw IP, however, the traffic did not come into the FortiGate through the loopback interface, but through our WAN, e.g. ISP.
The best practice when IPSec is bound to loopback is to configure inbound Firewall policy from the WAN interface to the loopback interface and permit service=IKE. The outbound IKE traffic does not require a firewall policy.
Also, starting from FOS 6.2.8, 6.4.9, and 7.0 upward, it is possible to enable asymmetric routing on the loopback interface. Visit this KB article for more details:
It is necessary to know whether the FortiOS version running on the unit supports NPU offload on the loopback interface or not. Please refer to this link regarding NPU loopback offload support:
If this is not carefully planned it can result in poor/non-optimal performance (for traffic over the tunnel) in the end. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.