NP4 IPsec VPN offloading

NP4 IPsec VPN offloading

NP4 processors improve IPsec tunnel performance by offloading IPsec encryption and decryption. Requirements for hardware accelerated IPsec encryption or decryption are a modification of general offloading requirements. Differing characteristics are:

  • Origin can be local host (the FortiGate unit)
  • In Phase 1 configuration, Local Gateway IP must be specified as an IP address of a network interface for a port attached to a network processor
  • SA must have been received by the network processor
  • in Phase 2 configuration:
  • encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
  • authentication must be MD5, SHA1, or null
  • if encryption is null, authentication must not also be null
  • if replay detection is enabled, enc-offload-antireplay must also be enable in the CLI

If replay detection is enabled in the Phase 2 configuration, you can enable or disable IPsec encryption and decryption offloading from the CLI. Performance varies by those CLI options and the percentage of packets requiring encryption or decryption. For details, see NP4 IPsec VPN offloading on page 1261

To apply hardware accelerated encryption and decryption, the FortiGate unit’s main processing resources must first perform Phase 1 negotiations to establish the security association (SA). The SA includes cryptographic processing instructions required by the network processor, such as which encryption algorithms must be applied to the tunnel. After ISAKMP negotiations, the FortiGate unit’s main processing resources send the SA to the network processor, enabling the network processor to apply the negotiated hardware accelerated encryption or decryption to tunnel traffic.

 

Possible accelerated cryptographic paths are:

  • IPsec decryption offload
  • Ingress ESP packet > Offloaded decryption > Decrypted packet egress (fast path)
  • Ingress ESP packet > Offloaded decryption > Decrypted packet to FortiGate unit’s main processing resources
  • IPsec encryption offload
  • Ingress packet > Offloaded encryption > Encrypted (ESP) packet egress (fast path)
  • Packet from FortiGate unit’s main processing resources > Offloaded encryption > Encrypted (ESP) packet egress

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.