Screen OS

I am attempting to configure VPNs to a large partner network.  For this VPN setup, they require the gateway to be two different public IPs.  We have two separate /28 subnets of IPs from our ISP.  The first one is full and cannot be changed, but is where my egress interface resides. 

To elaborate, lets say my first ip block is 1.1.250.112/28 with egress interface at 1.1.250.116

Second IP block is 1.1.250.192/28 

The gateway IPs I have available to use for these VPNs are 1.1.250.204 and 1.1.250.205

Options I've though of using are to set two loopback interfaces with 1.1.250.204 and 1.1.250.205 and use these for gateways out, but there is a question of how to best route traffic back into them. Would these best be in the trust or untrust zone?  Can you use a MIP on the untrust interface to these loopbacks with the same IP? 

You can enable Proxy ARP on your egress interface for .204 and .205 to get the traffic to your loopbacks. I'd put the loopbacks in Untrust.

Errr ... wait, does the egress interface have an address on the 2nd block? Or is your provider routing the 2nd block, statically or otherwise, to your egress interface address from the first block? If the latter, you shouldn't even need Proxy ARP. Just don't forget to create the necessary Untrust-to-Untrust policies.

This was it.  The biggest issue was the loopback ips needed to be in the untrust zone, the same as the egress interface.  Once this was in place, and the Untrust/Untrust policy in place, it worked like a charm.  VPNs came up and I am passing traffic and BGP with peer. 

Why do you require two different public IPs?  Is it for redundancy?  If so, why are you putting them on the same interface?

It was a design requirement from our partner, and to be honest I have no idea why they designed it like this.  The goal is a full mesh IPSec VPN w/BGP.   They do alot more VPNs than I, I went along with their proposed plan.