ipsec tunnel on loopback interface

p42 · ‎10-16-2013

Hi everyone I am wondering if it is possible to setup a ipsec tunnel with loopback interface. The idea is to have a configuration independent from wan interface(s), in order to use multiple wan on the fortigate for redundancy. Thanks for your help

emnoc · ‎10-16-2013

Suggestion Assign a interface+ipv4-addr ( loopback ) and see if you can select that as your vpn-interface within routed-vpn-mode. IIRC I believe you can. Once you determine if that' s possible, then craft your static-routes and the rest is just like any other vpn. Remember one other thing, the vpn interface is treat like any other interface, so you will need fwpolicies for traffic hitting it directly like a management stations,etc,..... And allow-access for ssh/ping/snmp

PCNSE

NSE

StrongSwan

p42 · ‎10-17-2013

Thank you for your suggestion. I have try to setup an ipsec vpn between two vdom on a fortigate using Loopback interface. In the phase 1 the loopback interface is available on the webinterface and can be selected as the local interface Unfortunately i couldn' t setup a working tunnel between the two loopback :(, while ping work correctly between them. When i replace loopback interface by the vdom link, the tunnel work. I am wondering if setup ipsec vpn with loopback is simply not possible ( in this case loopback interface should not be present in the web interface for configuring phase 1) or if i made a mistake somewhere.

emnoc · ‎10-17-2013

Qs: >Is the other vdom interface in the other vdom? >Do you really need a ipsec-tunnel between 2 vdom? Sound like a lot of overhead and how much more security do you need for traffic inter-vdom on the same firewall or I' m I missing something :) ? I' ll lab out a working loopback interface for a ipsec-tunnel. I do recall doing this once before and it was trivial and no different than using a real interface. Same goes for any other virtual interface ( bond-lacp, vlan subinterface,etc,.....) It' s just another interface as far as the FGT is concern.

PCNSE

NSE

StrongSwan

p42 · ‎10-18-2013

>Is the other vdom interface in the other vdom? >Do you really need a ipsec-tunnel between 2 vdom? Sound like a lot of overhead and how much more security do you need for traffic inter-vdom on the same firewall or I' m I missing something :) ?

>Is the other vdom interface in the other vdom? What do you mean by " vdom interface" ? the other loopback interface ? In this case yes. I have one loopback on each vdom and one VDOM Link between the two vdom >Do you really need a ipsec-tunnel between 2 vdom? Sound like a lot of overhead and how much more security do you need for traffic inter-vdom on the same firewall or I' m I missing something :) ? Absolutly not :), I just use vdom for test , once I validate that ipsec is possible (or not) on loopback interface i intent to setup that on distinct equipment.

emnoc · ‎10-18-2013

You clarified exactly what I needed to know. I ' m not sure this is going to work, but try it using 2x loopbacks in 2 unique vdoms and let use know the outcome. i don' t know you can terminate a vpn-ipec tunnel to a loopback, but with crafting a ipsec-tunnel & inter-vdom, is not a normal setup. I have a hunch it would work & if you doing this for trial and proof-of-concept, it might be challenging.

PCNSE

NSE

StrongSwan

ipsec tunnel on loopback interface

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website