This article describes how to configure FortiGate with IPSec VPN implanted on or bounded to the loopback interface.
|Scope||FortiGate v6.4, v7.2.|
Sample configuration: IPSec VPN phase 1 bounded to the loopback interface.
config vpn ipsec phase1-interface
set interface "loopback0"
set peertype any
set proposal aes128-sha256
set remote-gw 10.200.200.200
set psksecret test123
In the above configuration sample, the remote gateway (remote-gw) was stated, but the local gateway (local-gw) was not and it’s usually not mandated/enforced since FortiGate has a way of retrieving it (unlike remote-gw which is impossible for FortiGate to guess).
Whenever there is 'inbound' IKE traffic to FortiGate, the destination of such traffic is the local-gw IP.
If this IP is not expressly configured with 'set local-gw x.x.x.x', then the primary IP of the interface stated or referenced under 'IPSec phase-1 interface' configuration is used as local-gw IP.
If this local-gw is to be configured manually, it must be a primary or secondary IP on the referenced interface that was explained earlier.
Now the inbound IKE traffics are destined for the local-gw IP, however, the traffic did not come into the FortiGate through the loopback interface, but through our WAN, e.g. ISP.
The best practice when IPSec is bound to loopback is to configure inbound Firewall policy from the WAN interface to the loopback interface and permit service=IKE.
The outbound IKE traffic does not require a firewall policy.
Also, starting from FOS 6.2.8, 6.4.9, and 7.0 upward, it is possible to enable asymmetric routing on the loopback interface.
Visit this KB article for more details:
It is necessary to know whether the FortiOS version running on the unit supports NPU offload on the loopback interface or not. Please refer to this link regarding NPU loopback offload support:
If this is not carefully planned it can result in poor/non-optimal performance (for traffic over the tunnel) in the end.