I can definitely try pointing you in the right direction. Hopefully the way I achieve it is recommended :) I'm sure others can chime in if they see something wrong.
For me, I wanted to have the VPN portion on it's own public IP(we have a full class B so that isn't an issue). I'm sure you could apply this config with a Nat'ed IP if you had to.
Step 1 - Create your Loopback Interface and assign it the IP of your choice, apply WAN role and allow PING temporarily to be sure you can reach the interface from outside.(testing in Step 6)
Step 2 - Create an Address object for your Loopback Interface IP.(optional)
Step 3 - Create a Static Route using Named Address with Destination(loopback Address you just created or insert IP), Device being your LAN interface(in my case, I have an LACP connection to my Core), Gateway 0.0.0.0.
Step 4 - Create your IPSEC(or SSLVPN) Tunnel and point the Interface to the Loopback Interface you created in Step 1. To start, I simply went through the IPSEC wizard and followed the instructions and assigned a local account to allow access
Step 5 - Create your IPv4 Policy to allow External access to the Loopback interface(IKE,HTTPS,PING services suffice to allow IPSEC and SSLVPN and allow your ping test). This would have your SDWAN as the incoming interface and Loopback Interface at the Outgoing. In my case, NAT was turned off as I am using a Public IP.
Step 6 - Confirm you can ping your Loopback interface.
Step 7 - You should have 3 IPv4 polices to have this work.
The new policy from your SD-WAN to the Loopback Interface.
The policy created from your IPSEC tunnel to your LAN interface with your Client VPN subnet as source
The policy created from your IPSEC tunnel to your SDWAN interface with NAT turned on towards your Outgoing Interface Address.
Hopefully I didn't forget anything. If you have any other questions, don't hesitate to let me know.
post edited by bcote - 2017/05/26 07:52:00