Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff

Created on ‎07-25-2025 09:37 AM Edited on ‎08-06-2025 06:39 AM By Moderator

Article Id 403478

Technical Tip: IPsec dial-up connection to a Loopback Interface using Virtual IP

Description This article describes how to use an IPsec dial-up connection to a Loopback Interface using Virtual IP.
Scope FortiGate.
Solution

Network topology:

Screenshot 2025-07-25 103745.png

 

  1. Configure Loopback Interface.

 

Screenshot 2025-07-24 162419.png


CLI:

config system interface
    edit "Loopback"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 31
    next
end

 

  1. FortiGate WAN Interface:

 

Screenshot 2025-07-24 160500.png

 

CLI:

 

config system interface
    edit "port1"
        set ip 10.9.11.84 255.255.240.0
        set allowaccess ping https ssh http ftm
    next
end

 

  1. Configure VIP with external IP and mapping to the loopback interface IP. For IPsec create 2 VIPs (For UDP port 500 and port 4500).

 

Screenshot 2025-07-24 162752.png

 Screenshot 2025-07-24 162928.png

 

CLI:

config firewall VIP
    edit "ipsec-loopback500"
        set extip 0.0.0.0
        set mappedip 10.10.10.1
        set extintf "any"
        set portforward enable
        set extport 500
        set mappedport 500 
    next
end

 

config firewall VIP
    edit "ipsec-loopback4500"
        set extip 0.0.0.0
        set mappedip 10.10.10.1
        set extintf "any"
        set portforward enable
        set extport 4500
        set mappedport 4500
    next
end

 

  1. Configure IPsec with loopback interface.

 

Screenshot 2025-07-24 161037.png

 

CLI:

 

config vpn ipsec phase-interface

    edit "ipsec-dialup"
        set type dynamic
        set interface "Loopback"
        set mode aggressive
        set mode-cfg enable
        set dhgrp 20
        set xauthtype auto
        set authusrgrp "vpn group"
        set ipv4-start-ip 10.10.10.2
        set ipv4-end-ip 10.10.10.50
        set dns-mode auto
        set ipv4-split-include "ipsec-dialup_split"
        set unity-support disable
        set psksecret ENC
    end 

 

  1. Configure Firewall policy for VIP access from outside.

 

Screenshot 2025-07-24 161318.png

 

CLI:

 

config firewall policy
    edit 14
        set name "Loopback-VIP"
        set srcintf "port1"
        set dstintf "Loopback"
        set action accept
        set srcaddr "all"
        set dstaddr "ipsec-loopback500" "ipsec-loopback4500"
        set schedule "always"
        set service "ALL"
    next

 

  1. Configure the firewall policy for IPsec dial-up users.


Screenshot 2025-07-24 161701.png

 

CLI:

config firewall policy
    edit 15
        set name "vpn_ipsec-dialup_remote_0"
        set srcintf "ipsec-dialup"
        set dstintf "port2"
        set action accept
        set srcaddr "ipsec-dialup_range"
        set dstaddr "port2 address"
        set schedule "always"
        set service "ALL"
    next

 

  1. Connect to IPsec dial-up VPN.


Screenshot 2025-07-24 162235.png

 

 

Note: IPsec VPN remote access does not support loopback using virtual IP as of the moment. The connection may go up, but it will get 0 bytes received, the same as the FortiClient output above, and data traffic will not pass; it will also show esp_error on the VPN events.
736
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.