VPN and ASIC offload
- Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.
# get hardware status
Model name: [[QualityAssurance62/FortiGate]]-900D
ASIC version: CP8
ASIC SRAM: 64M
CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
Number of CPUs: 4
RAM: 16065 MB
Compact Flash: 1925 MB /dev/sda
Hard disk: 244198 MB /dev/sdb
USB Flash: not available
Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)
- Check port to NPU mapping.
| # diagnose npu np6 port-list | ||||||||
| Chip
—- |
XAUI Ports | Max Cross-chip Speed offloading | ||||||
| np6_0 | 0 | |||||||
| 1. | port17 | 1G | Yes | |||||
| 1. | port18 | 1G | Yes | |||||
| 1. | port19 | 1G | Yes | |||||
| 1. | port20 | 1G | Yes | |||||
| 1. | port21 | 1G | Yes | |||||
| 1. | port22 | 1G | Yes | |||||
| 1. | port23 | 1G | Yes | |||||
| 1. | port24 | 1G | Yes | |||||
| 1. | port27 | 1G | Yes | |||||
| 1. | port28 | 1G | Yes | |||||
| 1. | port25 | 1G | Yes | |||||
| 1. | port26 | 1G | Yes | |||||
| 1. | port31 | 1G | Yes | |||||
| 1. | port32 | 1G | Yes | |||||
| 1. | port29 | 1G | Yes | |||||
| 1. | port30 | 1G | Yes | |||||
| —- | 1. 1. | portB | 10G | Yes | ||||
| np6_1 | 0 | |||||||
| 1. | port1 | 1G | Yes | |||||
| 1. | port2 | 1G | Yes | |||||
| 1. | port3 | 1G | Yes | |||||
| 1. | port4 | 1G | Yes | |||||
| 1. | port5 | 1G | Yes | |||||
| 1. | port6 | 1G | Yes | |||||
| 1. | port7 | 1G | Yes | |||||
| 1. | port8 | 1G | Yes | |||||
| 1. | port11 | 1G | Yes | |||||
| 1. | port12 | 1G | Yes | |||||
| 1. | port9 | 1G | Yes | |||||
| 1. | port10 | 1G | Yes | |||||
| 1. | port15 | 1G | Yes | |||||
| 1. | port16 | 1G | Yes | |||||
| 1. | port13 | 1G | Yes | |||||
| 1. | port14 | 1G | Yes | |||||
| 1. 1. | portA | 10G | Yes | |||||
—-
- Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).
config vpn ipsec phase1/phase1-interface edit “vpn_name” set npu-offload enable/disable
next
end
- Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
—-
name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7
src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0
life: type=01 bytes=0/0 timeout=42930/43200
dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660
enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e
dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2
FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0:
| Encryption (encrypted/decrypted) | |
| null : 0 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 0 | 1. |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 0 | 1. |
| sha1 : 0 | 1. |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0
NP6_1: Encryption (encrypted/decrypted) |
1. |
| null : 14976 | 15357 |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 1664 | 2047 |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 1664 | 2047 |
| sha1 : 14976 | 15357 |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0
NPU Host Offloading: Encryption (encrypted/decrypted) |
1. |
| null : 3 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 3 | 1. |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 3 | 1. |
| sha1 : 3 | 1. |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0
CP8: Encryption (encrypted/decrypted) |
1. |
| null : 1 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 1 | 1. |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 1 | 1. |
| sha1 : 1 | 1. |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0 | 1. |
SOFTWARE:
| Encryption (encrypted/decrypted) | |
| null : 0 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 0 | 1. |
| aes-gcm : 29882 | 29882 |
| aria : 21688 | 21688 |
| seed : 153774 | 153774 |
| chacha20poly1305 : 29521
Integrity (generated/validated) |
29521 |
| null : 59403 | 59403 |
| md5 : 0 | 1. |
| sha1 : 175462 | 175462 |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0 | 1. |
- If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!