Example network topology for offloaded IPsec processing
FortiGate_1
Protected Network
Protected Network
FortiGate_2
Example ports and IP addresses for offloaded IPsec processing
FortiGate_1 FortiGate_2
|
IPsec tunnel |
Port |
IP |
Port |
IP |
|
FortiGate-5001B port 2 |
3.3.3.1/24 |
FortiGate-5001B port 2 |
3.3.3.2/24 |
|
|
Protected net- work |
FortiGate-5001B port 1 |
1.1.1.0/24 |
FortiGate-5001B port 1 |
2.2.2.0/24 |
Accelerated policy mode IPsec configuration
The following steps create a hardware accelerated policy mode IPsec tunnel between two FortiGate-5001B units, each containing two NP4 processors, the first of which will be used.
To configure hardware accelerated policy mode IPsec
1. On FortiGate_1, go to VPN > IPsec > Auto Key (IKE).
2. Configure Phase 1.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module port 2.
3. Configure Phase 2.
4. Select Enable replay detection.
5. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable end
For details on encryption and decryption offloading options available in the CLI, see”Configuring NP
accelerated VPN encryption/decryption offloading”.
6. Go to Policy > Policy > Policy.
7. Configure a policy to apply the Phase 1 IPsec tunnel you configured in step 2 to traffic between FortiGate-5001B
ports 1 and 2.
8. Go to Router > Static > Static Route.
9. Configure a static route to route traffic destined for FortiGate_2’s protected network to VPN IP address of
FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-5001B port2. You can also configure the static route using the following CLI command:
config router static edit 2
set device “AMC-SW1/2”
set dst 2.2.2.0 255.255.255.0 set gateway 3.3.3.2
end
10. On FortiGate_2, go to VPN > IPsec > Auto Key (IKE).
11. Configure Phase 1.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s port2.
12. Configure Phase 2.
13. Select Enable replay detection.
14. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable end
For details on encryption and decryption offloading options available in the CLI, see Configuring NP
accelerated IPsec VPN encryption/decryption offloading on page 1201.
15. Go to Policy > Policy > Policy.
16. Configure a policy to apply the Phase 1 IPsec tunnel you configured in step 9 to traffic between FortiGate-5001B ports 1 and 2.
17. Go to Router > Static > Static Route.
18. Configure a static route to route traffic destined for FortiGate_1’s protected network to VPN IP address of FortiGate_1’s VPN gateway, 3.3.3.1, through the FortiGate-5001B port2. You can also configure the static route using the following CLI commands:
config router static edit 2
set device “AMC-SW1/2”
set dst 1.1.1.0 255.255.255.0 set gateway 3.3.3.1
end
19. Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.
Accelerated interface mode IPsec configuration
The following steps create a hardware accelerated interface mode IPsec tunnel between two FortiGate units, each containing a FortiGate-ASM-FB4 module.
To configure hardware accelerated interface mode IPsec
1. On FortiGate_1, go to VPN > IPsec > Auto Key (IKE).
2. Configure Phase 1.
For interface mode IPsec and for hardware acceleration, the following settings are required.
Select Advanced.
Enable the checkbox “Enable IPsec Interface Mode.”
In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.2, which is the IP address of
FortiGate_2’s port 2.
3. Configure Phase 2.
4. Select Enable replay detection.
5. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable end
For details on encryption and decryption offloading options available in the CLI, see “Configuring NP
accelerated VPN encryption/decryption offloading”.
6. Go to Policy > Policy > Policy.
7. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4 module port 1.
8. Go to Router > Static > Static Route.
9. Configure a static route to route traffic destined for FortiGate_2’s protected network to the Phase 1 IPsec device, FGT_1_IPsec.
You can also configure the static route using the following CLI commands:
config router static edit 2
set device “FGT_1_IPsec”
set dst 2.2.2.0 255.255.255.0 end
10. On FortiGate_2, go to VPN > IPsec > Auto Key (IKE).
11. Configure Phase 1.
For interface mode IPsec and for hardware acceleration, the following settings are required.
Enable the checkbox “Enable IPsec Interface Mode.”
In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.1, which is the IP address of
FortiGate_1’s FortiGate-5001B port 2.
12. Configure Phase 2.
13. Select Enable replay detection.
14. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable end
For details on encryption and decryption offloading options available in the CLI, see ” Hardware acceleration overview” on page 1193.
15. Go to Policy > Policy > Policy.
16. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 9 to traffic leaving from or arriving on FortiGate-5001B port 1.
17. Go to Router > Static > Static Route.
18. Configure a static route to route traffic destined for FortiGate_1’s protected network to the Phase 1 IPsec device, FGT_2_IPsec.
You can also configure the static route using the following CLI commands:
config router static edit 2
set device “FGT_2_IPsec”
set dst 1.1.1.0 255.255.255.0 next
end
19. Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.
Not quite sure if this is entirely correct: I don’t assign local-gw in my config, but the traffic gets offloaded (6/6 on a FG60D).
config vpn ipsec phase1-interface
edit “IPSEC”
set type static
set interface “wan1”
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
(…)
session info: proto=1 proto_state=00 duration=21 expire=39 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/IPSEC vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=3056/2/1 reply=3056/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=21->23/23->21 gwy=10.201.44.2/10.80.0.9
hook=pre dir=org act=noop 10.80.0.9:32586->10.201.44.2:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.201.44.2:32586->10.80.0.9:0(0.0.0.0:0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=1
serial=001833a0 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x003000
npu info: flag=0x81/0x82, offload=6/6, ips_offload=0/0, epid=4/2, ipid=2/4, vlan=0x0000/0x8064
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
Thanks for the info Bjorn! My post is straight from Fortinet documentation but I do know that there is a lot of behavior that doesn’t necessarily follow documented items. Your insight is much appreciated.