NP4 IPsec VPN offloading configuration example

Example network topology for offloaded IPsec processing

FortiGate_1

Protected Network

Protected Network

FortiGate_2

 

Example ports and IP addresses for offloaded IPsec processing

FortiGate_1                                                 FortiGate_2

 

 

 

 

 

IPsec tunnel

 

Port

 

IP

 

Port

 

IP

 

FortiGate-5001B

port 2

 

3.3.3.1/24

 

FortiGate-5001B

port 2

 

3.3.3.2/24

 

Protected net- work

 

FortiGate-5001B

port 1

 

1.1.1.0/24

 

FortiGate-5001B

port 1

 

2.2.2.0/24

 

Accelerated policy mode IPsec configuration

The following steps create a hardware accelerated policy mode IPsec tunnel between two FortiGate-5001B units, each containing two NP4 processors, the first of which will be used.

 

To configure hardware accelerated policy mode IPsec

1. On FortiGate_1, go to VPN > IPsec > Auto Key (IKE).

2. Configure Phase 1.

For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP is required.

Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module port 2.

3. Configure Phase 2.

4. Select Enable replay detection.

5. Use the following command to enable offloading antireplay packets:

config system npu

set enc-offload-antireplay enable end

For details on encryption and decryption offloading options available in the CLI, see”Configuring NP

accelerated VPN encryption/decryption offloading”.

6. Go to Policy > Policy > Policy.

7. Configure a policy to apply the Phase 1 IPsec tunnel you configured in step 2 to traffic between FortiGate-5001B

ports 1 and 2.

8. Go to Router > Static > Static Route.

9. Configure a static route to route traffic destined for FortiGate_2’s protected network to VPN IP address of

FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-5001B port2. You can also configure the static route using the following CLI command:

config router static edit 2

set device “AMC-SW1/2”

set dst 2.2.2.0 255.255.255.0 set gateway 3.3.3.2

end

10. On FortiGate_2, go to VPN > IPsec > Auto Key (IKE).

11. Configure Phase 1.

For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP is required.

Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s port2.

12. Configure Phase 2.

13. Select Enable replay detection.

14. Use the following command to enable offloading antireplay packets:

config system npu

set enc-offload-antireplay enable end

For details on encryption and decryption offloading options available in the CLI, see Configuring NP

accelerated IPsec VPN encryption/decryption offloading on page 1201.

15. Go to Policy > Policy > Policy.

16. Configure a policy to apply the Phase 1 IPsec tunnel you configured in step 9 to traffic between FortiGate-5001B ports 1 and 2.

17. Go to Router > Static > Static Route.

18. Configure a static route to route traffic destined for FortiGate_1’s protected network to VPN IP address of FortiGate_1’s VPN gateway, 3.3.3.1, through the FortiGate-5001B port2. You can also configure the static route using the following CLI commands:

config router static edit 2

set device “AMC-SW1/2”

set dst 1.1.1.0 255.255.255.0 set gateway 3.3.3.1

end

19. Activate the IPsec tunnel by sending traffic between the two protected networks.

To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.

 

Accelerated interface mode IPsec configuration

The following steps create a hardware accelerated interface mode IPsec tunnel between two FortiGate units, each containing a FortiGate-ASM-FB4 module.

To configure hardware accelerated interface mode IPsec

1. On FortiGate_1, go to VPN > IPsec > Auto Key (IKE).

2. Configure Phase 1.

For interface mode IPsec and for hardware acceleration, the following settings are required.

Select Advanced.

Enable the checkbox “Enable IPsec Interface Mode.”

In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.2, which is the IP address of

FortiGate_2’s port 2.

3. Configure Phase 2.

4. Select Enable replay detection.

5. Use the following command to enable offloading antireplay packets:

config system npu

set enc-offload-antireplay enable end

For details on encryption and decryption offloading options available in the CLI, see “Configuring NP

accelerated VPN encryption/decryption offloading”.

6. Go to Policy > Policy > Policy.

7. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4 module port 1.

8. Go to Router > Static > Static Route.

9. Configure a static route to route traffic destined for FortiGate_2’s protected network to the Phase 1 IPsec device, FGT_1_IPsec.

You can also configure the static route using the following CLI commands:

config router static edit 2

set device “FGT_1_IPsec”

set dst 2.2.2.0 255.255.255.0 end

10. On FortiGate_2, go to VPN > IPsec > Auto Key (IKE).

11. Configure Phase 1.

For interface mode IPsec and for hardware acceleration, the following settings are required.

Enable the checkbox “Enable IPsec Interface Mode.”

In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.1, which is the IP address of

FortiGate_1’s FortiGate-5001B port 2.

12. Configure Phase 2.

13. Select Enable replay detection.

14. Use the following command to enable offloading antireplay packets:

config system npu

set enc-offload-antireplay enable end

For details on encryption and decryption offloading options available in the CLI, see ” Hardware acceleration overview” on page 1193.

15. Go to Policy > Policy > Policy.

16. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 9 to traffic leaving from or arriving on FortiGate-5001B port 1.

17. Go to Router > Static > Static Route.

18. Configure a static route to route traffic destined for FortiGate_1’s protected network to the Phase 1 IPsec device, FGT_2_IPsec.

You can also configure the static route using the following CLI commands:

config router static edit 2

set device “FGT_2_IPsec”

set dst 1.1.1.0 255.255.255.0 next

end

19. Activate the IPsec tunnel by sending traffic between the two protected networks.

To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

2 thoughts on “NP4 IPsec VPN offloading configuration example

  1. Bjørn Tore

    Not quite sure if this is entirely correct: I don’t assign local-gw in my config, but the traffic gets offloaded (6/6 on a FG60D).

    config vpn ipsec phase1-interface
    edit “IPSEC”
    set type static
    set interface “wan1”
    set ip-version 4
    set ike-version 1
    set local-gw 0.0.0.0
    (…)

    session info: proto=1 proto_state=00 duration=21 expire=39 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    ha_id=0 policy_dir=0 tunnel=/IPSEC vlan_cos=0/255
    state=may_dirty npu
    statistic(bytes/packets/allow_err): org=3056/2/1 reply=3056/2/1 tuples=2
    tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
    orgin->sink: org pre->post, reply pre->post dev=21->23/23->21 gwy=10.201.44.2/10.80.0.9
    hook=pre dir=org act=noop 10.80.0.9:32586->10.201.44.2:8(0.0.0.0:0)
    hook=post dir=reply act=noop 10.201.44.2:32586->10.80.0.9:0(0.0.0.0:0)
    misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=1
    serial=001833a0 tos=ff/ff app_list=0 app=0 url_cat=0
    dd_type=0 dd_mode=0
    npu_state=0x003000
    npu info: flag=0x81/0x82, offload=6/6, ips_offload=0/0, epid=4/2, ipid=2/4, vlan=0x0000/0x8064
    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

    Reply
    1. Mike Post author

      Thanks for the info Bjorn! My post is straight from Fortinet documentation but I do know that there is a lot of behavior that doesn’t necessarily follow documented items. Your insight is much appreciated.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.