09-16-2025 01:59 AM
Hi
Quick question, Is it possible to Configure a RB VPN on an FTD using a Loopback Interface.??
I ask because I have been requested to set up one but the thing is the peer IP I have to use my side is not one of the FTD Interface IP Addresses, Also is this the best way to achieve this or is there another way. ??
Thankyou
09-16-2025 02:01 AM - edited 09-16-2025 02:03 AM
@benolyndav yes you can use a loopback on a route based VPN (VTI or DVTI) https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/vpn-s2s.html
Loopback feature was introduced in version 7.3 - https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface
09-17-2025 01:34 AM - edited 09-17-2025 01:34 AM
@Rob Ingram
So excuse my ignorance but when creating a RB VPN its suggested to use the 169.x.x.x IP Addresses I have done these before without any issues, not sure how this works or needs configuring if I am to use a loopback address for the local RB VPN address.??
Thanks
09-17-2025 01:43 AM
Now give any IP to LO (unused IP) like 1.1.1.1
Then check vti tunnel source can you select Lo as tunnel source?
If Yes then it OK what you need is static route for Remote LO toward WAN interface
If NOT then FMC/FTD not support LO as tunnel source
MHM
09-17-2025 02:37 AM
Thanks for that and yes I do see the Loopback available for the VTI, So because the IP Address I am using and the 3rd party will be peering with is not an Interface IP Address is this the only way I can do it ??
Thanks
09-17-2025 02:41 AM
@benolyndav sounds like you need to use the loopback as the tunnel source rather than the interface IP address. You obviously have the correct IP address defined on the loopback.
10-01-2025 03:44 AM
@Rob Ingram Yes I have selected that but what about the below what do I need to select for this please
P.s sorry about the delayed response
10-01-2025 03:54 AM
@benolyndav the loopback interface can be used as either a tunnel source or a borrow source, but not both. So if you want to terminate the VPN on the loopback, select tunnel source only.
10-01-2025 04:26 AM
10-01-2025 04:30 AM
@benolyndav for the VTI tunnel IP address, I would typically personally use an IP address from the internal LAN network space. Personal choice though. It needs to be routed over the tunnel and unique.
09-17-2025 02:42 AM - edited 09-17-2025 02:53 AM
Let summary
VTI use WAN (public IP) as tunnel source' vti will be UP since public IP is reachable
Vti using LO (as tunnel srouce) with any IP' if remote peer can not reach this IP vti will be down
Note:- you can ONLY use LO as tunnel source.
09-16-2025 02:01 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide