FTD Site to Site VPN Question

benolyndav · ‎09-16-2025

Hi

Quick question, Is it possible to Configure a RB VPN on an FTD using a Loopback Interface.??

I ask because I have been requested to set up one but the thing is the peer IP I have to use my side is not one of the FTD Interface IP Addresses, Also is this the best way to achieve this or is there another way. ??

Thankyou

Rob Ingram · ‎09-16-2025

@benolyndav yes you can use a loopback on a route based VPN (VTI or DVTI) https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/vpn-s2s.html

Loopback feature was introduced in version 7.3 - https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

benolyndav · ‎09-17-2025

@Rob Ingram
So excuse my ignorance but when creating a RB VPN its suggested to use the 169.x.x.x IP Addresses I have done these before without any issues, not sure how this works or needs configuring if I am to use a loopback address for the local RB VPN address.??

Thanks

MHM Cisco World · ‎09-17-2025

Now give any IP to LO (unused IP) like 1.1.1.1

Then check vti tunnel source can you select Lo as tunnel source?

If Yes then it OK what you need is static route for Remote LO toward WAN interface

If NOT then FMC/FTD not support LO as tunnel source

MHM

benolyndav · ‎09-17-2025

@MHM Cisco World

Thanks for that and yes I do see the Loopback available for the VTI, So because the IP Address I am using and the 3rd party will be peering with is not an Interface IP Address is this the only way I can do it ??

Thanks

Rob Ingram · ‎09-17-2025

@benolyndav sounds like you need to use the loopback as the tunnel source rather than the interface IP address. You obviously have the correct IP address defined on the loopback.

benolyndav · ‎10-01-2025

@Rob Ingram Yes I have selected that but what about the below what do I need to select for this please
P.s sorry about the delayed response

Rob Ingram · ‎10-01-2025

@benolyndav the loopback interface can be used as either a tunnel source or a borrow source, but not both. So if you want to terminate the VPN on the loopback, select tunnel source only.

benolyndav · ‎10-01-2025

@Rob Ingram So I need to use something from the below range for the VTI IP

Rob Ingram · ‎10-01-2025

@benolyndav for the VTI tunnel IP address, I would typically personally use an IP address from the internal LAN network space. Personal choice though. It needs to be routed over the tunnel and unique.

benolyndav · ‎10-03-2025

@Rob Ingram
So if I use a 169.254.7.X/30 address for my vti and the loopback for the tunnel source, what do I point my static routes to for traffic going over the tunnel ??

Rob Ingram · ‎10-03-2025

Hi @benolyndav You'd point the route to the peer's tunnel IP address in the 169.254.7.X/30 network.

benolyndav · ‎10-03-2025

@Rob Ingram They aren't using one in that range that's the thing .??

Rob Ingram · ‎10-03-2025

@benolyndav configure both tunnel interfaces (yours and the peers) in the same network, so they can communicate. Then create static routes (or use dynamic) for the local networks.

benolyndav · ‎10-15-2025

@Rob Ingram Is it possible to use a NAT address has the peer IP address for RB/PB Site to Site VPNs at all on FTD??
Thanks