VPN and ASIC offload

VPN and ASIC offload

  1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.

# get hardware status

Model name: [[QualityAssurance62/FortiGate]]-900D

ASIC version: CP8

ASIC SRAM: 64M

CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz

Number of CPUs: 4

RAM: 16065 MB

Compact Flash: 1925 MB /dev/sda

Hard disk: 244198 MB /dev/sdb

USB Flash: not available

Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)

  1. Check port to NPU mapping.
# diagnose npu np6 port-list
Chip

—-

XAUI Ports Max Cross-chip Speed offloading
np6_0 0      
  1. port17 1G Yes
  1. port18 1G Yes
  1. port19 1G Yes
  1. port20 1G Yes
  1. port21 1G Yes
  1. port22 1G Yes
  1. port23 1G Yes
  1. port24 1G Yes
  1. port27 1G Yes
  1. port28 1G Yes
  1. port25 1G Yes
  1. port26 1G Yes
  1. port31 1G Yes
  1. port32 1G Yes
  1. port29 1G Yes
  1. port30 1G Yes
—- 1. 1. portB 10G Yes
np6_1 0      
  1. port1 1G Yes
  1. port2 1G Yes
  1. port3 1G Yes
  1. port4 1G Yes
  1. port5 1G Yes
  1. port6 1G Yes
  1. port7 1G Yes
  1. port8 1G Yes
  1. port11 1G Yes
  1. port12 1G Yes
  1. port9 1G Yes
  1. port10 1G Yes
  1. port15 1G Yes
  1. port16 1G Yes
  1. port13 1G Yes  
  1. port14 1G Yes  
  1. 1. portA 10G Yes  

—-

  1. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).

config vpn ipsec phase1/phase1-interface edit “vpn_name” set npu-offload enable/disable

next

end

  1. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660

enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e

dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2

FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 0 1.
         aria             : 0 1.
         seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
         null             : 0 1.
         md5              : 0 1.
         sha1             : 0 1.
         sha256           : 0 1.
         sha384           : 0 1.

 

                   sha512           : 0

NP6_1:

Encryption (encrypted/decrypted)

1.
                   null             : 14976 15357
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 1664 2047
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 1664 2047
                   sha1             : 14976 15357
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NPU Host Offloading:

Encryption (encrypted/decrypted)

1.
                   null             : 3 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 3 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 3 1.
                   sha1             : 3 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

CP8:

Encryption (encrypted/decrypted)

1.
                   null             : 1 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 1 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

1.
                   null             : 0 1.
                   md5              : 1 1.
                   sha1             : 1 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0 1.

SOFTWARE:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 29882 29882
         aria             : 21688 21688
         seed             : 153774 153774
chacha20poly1305 : 29521

Integrity (generated/validated)

29521
         null             : 59403 59403
         md5              : 0 1.
         sha1             : 175462 175462
         sha256           : 0 1.
         sha384           : 0 1.
         sha512           : 0 1.
  1. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.