FTD Site to Site VPN Question

benolyndav · ‎09-16-2025

Hi

Quick question, Is it possible to Configure a RB VPN on an FTD using a Loopback Interface.??

I ask because I have been requested to set up one but the thing is the peer IP I have to use my side is not one of the FTD Interface IP Addresses, Also is this the best way to achieve this or is there another way. ??

Thankyou

Rob Ingram · ‎09-16-2025

@benolyndav yes you can use a loopback on a route based VPN (VTI or DVTI) https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/vpn-s2s.html

Loopback feature was introduced in version 7.3 - https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

benolyndav · ‎09-17-2025

@Rob Ingram
So excuse my ignorance but when creating a RB VPN its suggested to use the 169.x.x.x IP Addresses I have done these before without any issues, not sure how this works or needs configuring if I am to use a loopback address for the local RB VPN address.??

Thanks

MHM Cisco World · ‎09-17-2025

Now give any IP to LO (unused IP) like 1.1.1.1

Then check vti tunnel source can you select Lo as tunnel source?

If Yes then it OK what you need is static route for Remote LO toward WAN interface

If NOT then FMC/FTD not support LO as tunnel source

MHM

benolyndav · ‎09-17-2025

@MHM Cisco World

Thanks for that and yes I do see the Loopback available for the VTI, So because the IP Address I am using and the 3rd party will be peering with is not an Interface IP Address is this the only way I can do it ??

Thanks

Rob Ingram · ‎09-17-2025

@benolyndav sounds like you need to use the loopback as the tunnel source rather than the interface IP address. You obviously have the correct IP address defined on the loopback.

benolyndav · ‎10-01-2025

@Rob Ingram Yes I have selected that but what about the below what do I need to select for this please
P.s sorry about the delayed response

Rob Ingram · ‎10-01-2025

@benolyndav the loopback interface can be used as either a tunnel source or a borrow source, but not both. So if you want to terminate the VPN on the loopback, select tunnel source only.

benolyndav · ‎10-01-2025

@Rob Ingram So I need to use something from the below range for the VTI IP

Rob Ingram · ‎10-01-2025

@benolyndav for the VTI tunnel IP address, I would typically personally use an IP address from the internal LAN network space. Personal choice though. It needs to be routed over the tunnel and unique.

MHM Cisco World · ‎09-17-2025

Let summary

VTI use WAN (public IP) as tunnel source' vti will be UP since public IP is reachable

Vti using LO (as tunnel srouce) with any IP' if remote peer can not reach this IP vti will be down

Note:- you can ONLY use LO as tunnel source.

MHM Cisco World · ‎09-16-2025

https://www.cisco.com/c/en/us/support/docs/security-vpn/internet-security-association-key-management-protocol-isakmp/222055-configure-route-based-site-to-site-vpn-b.html

Yes you can

Check above link

MHM