Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Terminate site-to-site IPSec VPN tunnel on loopbac...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Terminate site-to-site IPSec VPN tunnel on loopback interfaces - Fortigate <-> Fortigate
Hi folks,
I'm attempting to setup my 2 testbed Fortigate 40F firewalls 6.4.10 to use their loopback interfaces to terminate a site-to-site IPSec VPN tunnel. The tunnel is currently fully operational on the 40F firewalls when not using loopback interfaces. I'm starting to wonder if terminating both ends of the IPSec VPN tunnel on loopback interfaces is a supported configuration in FortiOS 6.x?
Once this configuration is operational and technically understood in the testbed, the configuration will be implemented on our production firewalls.
WAN ports have static public IPs
FW1 Loopback assigned private IP 10.0.0.1 /29
FW2 Loopback assigned private IP 172.16.0.1 /29
Fortigate doc talks about this configuration, but I must be missing something as it does not work.
Any help would be greatly appreciated!
Thanks Jim
Thank You JimBo
Thank You JimBo
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JimBo
Thanks for posting the update
The ipsec tunnel can be terminated to the loopback interface, but only the reachability to the loopback IPs should be there.
Can you just tell how the connectivity is between both the loopback IPs.
Take the below sniffer on both the FW and check from which port the traffic is going out to confirm the reachability between loopback
dia sniffer packet any 'host x.x.x.x and host y.y.y.y and icmp' 4 0 l
x.x.x.x and y.y.y.y are your loopback IPs, give the above command and initiate the ping to LB IP.
@bhishek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The topology is as follows:
FW1_L0_10.0.0.1--Wan_<public IP>--Public_Internet--FW2_Wan_<public IP>--L0_172.10.0.1
Since both ends use RFC 1918 private addressing these 2 private addresses cannot communicated unless some type of inter-connectivity is provided and thus this is the reason for the tunnel.
I'm thinking SNAT -Loop0 (private ip) to Wan (public IP) should do the trick.
Thanks
Jim
Thank You JimBo
Thank You JimBo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jim, SNAT cannot be applied to the self-originated traffic within one vdom.
If you specifically need to implement the design, i could recommend you to create two vdoms, let`s say ipsec and root.
root and ipsec vdoms will connect via an intervdom link and root vdom will be the internet-facing one.
You will terminate the VPN on the ipsec vdom and the root vdom will in charge of performing the SNAT.
But I`m not sure if that overall schema(terminating on the loopback and performing SNAT on a physical internet-facing interface) can be beneficial in any way.
Ahmad
Ahmad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ahmad,
You are correct - I just enabled this in the configuration and it laughed at me.
Our need for terminating our site-to-site IPSec VPNs on the lookback interfaces is to cut down on the number of tunnels between sites. If we can terminate the VPN on a loopback interface -at both ends- the multiple ISP connections should be transparent while redundant. This will allow a lower number of BGP peers as-well.
I sort of get the vdom option but was hoping for something a little less complicated since the Fortigate documentation does speak to this loopback option when running in "Profile-based" mode but doesn't provide the actual details. We operate in the newer "Policy-based" mode but think (Hoping) this should still function.
As a side note, we plan to run private IPv6 addressing over the VPN tunnels as-well.
Thank you
Jim
Thank You JimBo
Thank You JimBo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Jim,
You can use Loopback interfaces for BGP peering, in this way, you can lower the number of BGP peers between your locations.
Thanks
Vladislav Ceban
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vladislav
That is true but I still must manage multiple IPSec VPN tunnels. Seems Fortigate would have a complete solution. :)
Thank You JimBo
Thank You JimBo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE:
The testlab HQ Fortigate 40F
L0 private ip
Wan static public ip
can communicate with
remote testlab Fortigate 40F
Wan static public ip.
(Or the other way around but not both using L0).
50% I guess is better the 0%. :)
Thanks
Thank You JimBo
Thank You JimBo
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate 3700 does not take aggregate... 13 Views
- Fortilink not working correctly? 101 Views
- Captive portal 103 Views
- Seeking Guidance: FortiGate HA 217 Views
- Software switch witouth loop in fortigate? 245 Views
Labels
-
FortiGate
8,507 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
SSL SSH inspection
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1663 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.