NP4 IPsec VPN offloading configuration example

NP4 IPsec VPN offloading configuration example

Hardware accelerated IPsec processing, involving either partial or full offloading, can be achieved in either tunnel or interface mode IPsec configurations.

To achieve offloading for both encryption and decryption:

  • In Phase 1 configuration’s Advanced section, Local Gateway IP must be specified as an IP address of a network interface associated with a port attached to a network processor. (In other words, if Phase 1’s Local Gateway IP is Main Interface IP, or is specified as an IP address that is not associated with a network interface associated with a port attached to a network processor, IPsec network processing is not offloaded.)
  • In Phase 2 configuration’s P2 Proposal section, if the checkbox “Enable replay detection” is enabled, enc- offload-antireplay and dec-offload-antireplay must be set to enable in the CLI.
  • offload-ipsec-host must be set to enable in the CLI.

This section contains example IPsec configurations whose IPsec encryption and decryption processing is hardware accelerated by an NP4 unit contained in a FortiGate-5001B at both ends of the VPN tunnel.

Hardware accelerated IPsec VPN does not require both tunnel endpoints to have the same network processor model. However, if hardware is not symmetrical, the packet forwarding rate is limited by the slower side.

2 thoughts on “NP4 IPsec VPN offloading configuration example

  1. Bjørn Tore

    Not quite sure if this is entirely correct: I don’t assign local-gw in my config, but the traffic gets offloaded (6/6 on a FG60D).

    config vpn ipsec phase1-interface
    edit “IPSEC”
    set type static
    set interface “wan1”
    set ip-version 4
    set ike-version 1
    set local-gw 0.0.0.0
    (…)

    session info: proto=1 proto_state=00 duration=21 expire=39 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    ha_id=0 policy_dir=0 tunnel=/IPSEC vlan_cos=0/255
    state=may_dirty npu
    statistic(bytes/packets/allow_err): org=3056/2/1 reply=3056/2/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=21->23/23->21 gwy=10.201.44.2/10.80.0.9
    hook=pre dir=org act=noop 10.80.0.9:32586->10.201.44.2:8(0.0.0.0:0)
    hook=post dir=reply act=noop 10.201.44.2:32586->10.80.0.9:0(0.0.0.0:0)
    misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=1
    serial=001833a0 tos=ff/ff app_list=0 app=0 url_cat=0
    dd_type=0 dd_mode=0
    npu_state=0x003000
    npu info: flag=0x81/0x82, offload=6/6, ips_offload=0/0, epid=4/2, ipid=2/4, vlan=0x0000/0x8064
    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

    Reply
    1. Mike Post author

      Thanks for the info Bjorn! My post is straight from Fortinet documentation but I do know that there is a lot of behavior that doesn’t necessarily follow documented items. Your insight is much appreciated.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.