VPN and ASIC offload
- Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.
# get hardware status
Model name: [[QualityAssurance62/FortiGate]]-900D
ASIC version: CP8
ASIC SRAM: 64M
CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
Number of CPUs: 4
RAM: 16065 MB
Compact Flash: 1925 MB /dev/sda
Hard disk: 244198 MB /dev/sdb
USB Flash: not available
Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)
- Check port to NPU mapping.
| # diagnose npu np6 port-list | ||||||||
| Chip
—- |
XAUI Ports | Max Cross-chip Speed offloading | ||||||
| np6_0 | 0 | |||||||
| 1. | port17 | 1G | Yes | |||||
| 1. | port18 | 1G | Yes | |||||
| 1. | port19 | 1G | Yes | |||||
| 1. | port20 | 1G | Yes | |||||
| 1. | port21 | 1G | Yes | |||||
| 1. | port22 | 1G | Yes | |||||
| 1. | port23 | 1G | Yes | |||||
| 1. | port24 | 1G | Yes | |||||
| 1. | port27 | 1G | Yes | |||||
| 1. | port28 | 1G | Yes | |||||
| 1. | port25 | 1G | Yes | |||||
| 1. | port26 | 1G | Yes | |||||
| 1. | port31 | 1G | Yes | |||||
| 1. | port32 | 1G | Yes | |||||
| 1. | port29 | 1G | Yes | |||||
| 1. | port30 | 1G | Yes | |||||
| —- | 1. 1. | portB | 10G | Yes | ||||
| np6_1 | 0 | |||||||
| 1. | port1 | 1G | Yes | |||||
| 1. | port2 | 1G | Yes | |||||
| 1. | port3 | 1G | Yes | |||||
| 1. | port4 | 1G | Yes | |||||
| 1. | port5 | 1G | Yes | |||||
| 1. | port6 | 1G | Yes | |||||
| 1. | port7 | 1G | Yes | |||||
| 1. | port8 | 1G | Yes | |||||
| 1. | port11 | 1G | Yes | |||||
| 1. | port12 | 1G | Yes | |||||
| 1. | port9 | 1G | Yes | |||||
| 1. | port10 | 1G | Yes | |||||
| 1. | port15 | 1G | Yes | |||||
| 1. | port16 | 1G | Yes | |||||
| 1. | port13 | 1G | Yes | |||||
| 1. | port14 | 1G | Yes | |||||
| 1. 1. | portA | 10G | Yes | |||||
—-
- Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).
config vpn ipsec phase1/phase1-interface edit “vpn_name” set npu-offload enable/disable
next
end
- Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
—-
name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7
src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0
life: type=01 bytes=0/0 timeout=42930/43200
dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660
enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e
dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2
FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0:
| Encryption (encrypted/decrypted) | |
| null : 0 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 0 | 1. |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 0 | 1. |
| sha1 : 0 | 1. |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0
NP6_1: Encryption (encrypted/decrypted) |
1. |
| null : 14976 | 15357 |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 1664 | 2047 |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 1664 | 2047 |
| sha1 : 14976 | 15357 |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0
NPU Host Offloading: Encryption (encrypted/decrypted) |
1. |
| null : 3 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 3 | 1. |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 3 | 1. |
| sha1 : 3 | 1. |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0
CP8: Encryption (encrypted/decrypted) |
1. |
| null : 1 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 1 | 1. |
| aes-gcm : 0 | 1. |
| aria : 0 | 1. |
| seed : 0 | 1. |
| chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
| null : 0 | 1. |
| md5 : 1 | 1. |
| sha1 : 1 | 1. |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0 | 1. |
SOFTWARE:
| Encryption (encrypted/decrypted) | |
| null : 0 | 1. |
| des : 0 | 1. |
| 3des : 0 | 1. |
| aes : 0 | 1. |
| aes-gcm : 29882 | 29882 |
| aria : 21688 | 21688 |
| seed : 153774 | 153774 |
| chacha20poly1305 : 29521
Integrity (generated/validated) |
29521 |
| null : 59403 | 59403 |
| md5 : 0 | 1. |
| sha1 : 175462 | 175462 |
| sha256 : 0 | 1. |
| sha384 : 0 | 1. |
| sha512 : 0 | 1. |
- If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.