Tips & Tricks: Using Loopback Interfaces for Site-to-Site VPNs

Did you know you can use loopback interfaces for VPNs? If you have the space, you can assign addresses within your publicly assigned range as the local IP address of the VPN.

Requirements

• The loopback interface must be in the same zone as the external interface
• Loopback IP address must be within the same subnet as the external interface
• Place the tunnel interface in a different zone for more granular security policies and visibility

Create the loopback and assign the appropriate IP address. Remember to use an IP address that is available within the same subnet of your external interface.

Create a zone for the tunnel interface. The tunnel interface is set to vpn-int zone.

Create the appropriate NAT rules to allow inbound and outbound VPN connections. 

Create the appropriate security policies to allow the loopback interface to communicate with ipsec peers and the tunnel interface to connect to internal resources.

The local IKE gateway can be configured as usual with a static remote peer.

Configure NAT-T as well.

Peer identification on the remote end is required, as the host receives the loopback's private IP as an identification parameter, but the physical IP address is different due to the NAT configuration.

The IPSec Tunnel object can be created without any special configuration.

Route the appropriate subnets into the tunnel on either side by adding a route.

All comments or suggestions are encouraged.

Thanks for reading!