Tips & Tricks: Using Loopback Interfaces for Site-to-Site VPNs

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Tips_Using Loopback.jpg


Did you know you can use loopback interfaces for VPNs? If you have the space, you can assign addresses within your publicly assigned range as the local IP address of the VPN.




  • The loopback interface must be in the same zone as the external interface
  • Loopback IP address must be within the same subnet as the external interface
  • Place the tunnel interface in a different zone for more granular security policies and visibility


Create the loopback and assign the appropriate IP address. Remember to use an IP address that is available within the same subnet of your external interface.




Create a zone for the tunnel interface. The tunnel interface is set to vpn-int zone.




Create the appropriate NAT rules to allow inbound and outbound VPN connections. 


Screen Shot 2023-04-24 at 10.36.09 PM.png


Create the appropriate security policies to allow the loopback interface to communicate with ipsec peers and the tunnel interface to connect to internal resources.




The local IKE gateway can be configured as usual with a static remote peer.




Configure NAT-T as well.




Peer identification on the remote end is required, as the host receives the loopback's private IP as an identification parameter, but the physical IP address is different due to the NAT configuration.


The IPSec Tunnel object can be created without any special configuration.




Route the appropriate subnets into the tunnel on either side by adding a route.




All comments or suggestions are encouraged.


Thanks for reading!

1 Comment
L2 Linker

Thank you for the wonderful post, would like to know the use case scenarios for this setup.


Thank you


Register or Sign-in
Top Liked Authors