NP4 IPsec VPN offloading
NP4 processors improve IPsec tunnel performance by offloading IPsec encryption and decryption. Requirements for hardware accelerated IPsec encryption or decryption are a modification of general offloading requirements. Differing characteristics are:
- Origin can be local host (the FortiGate unit)
- In Phase 1 configuration, Local Gateway IP must be specified as an IP address of a network interface for a port attached to a network processor
- SA must have been received by the network processor
- in Phase 2 configuration:
- encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
- authentication must be MD5, SHA1, or null
- if encryption is null, authentication must not also be null
- if replay detection is enabled, enc-offload-antireplay must also be enable in the CLI
If replay detection is enabled in the Phase 2 configuration, you can enable or disable IPsec encryption and decryption offloading from the CLI. Performance varies by those CLI options and the percentage of packets requiring encryption or decryption. For details, see NP4 IPsec VPN offloading on page 1261
To apply hardware accelerated encryption and decryption, the FortiGate unit’s main processing resources must first perform Phase 1 negotiations to establish the security association (SA). The SA includes cryptographic processing instructions required by the network processor, such as which encryption algorithms must be applied to the tunnel. After ISAKMP negotiations, the FortiGate unit’s main processing resources send the SA to the network processor, enabling the network processor to apply the negotiated hardware accelerated encryption or decryption to tunnel traffic.
Possible accelerated cryptographic paths are:
- IPsec decryption offload
- Ingress ESP packet > Offloaded decryption > Decrypted packet egress (fast path)
- Ingress ESP packet > Offloaded decryption > Decrypted packet to FortiGate unit’s main processing resources
- IPsec encryption offload
- Ingress packet > Offloaded encryption > Encrypted (ESP) packet egress (fast path)
- Packet from FortiGate unit’s main processing resources > Offloaded encryption > Encrypted (ESP) packet egress
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos