Technical Tip: Information about IPsec on loopback interface and hardware acceleration

For FortiGates with NP6 or NP6lite and NP7 (FortiOS up to v7.0.5 or v7.2.0), when IPsec VPN is configured with the source interface as a Loopback interface, this may lead to performance issues as the loopback interface does not support hardware acceleration.

It is recommended to configure IPsec to use a Physical interface.

For devices with NP7 running on FortiOS v7.0.6 and v7.2.1 and above, hardware acceleration is supported on Loopback interfaces.

In order to verify such a configuration in the unit, issue the command 'diagnose vpn tunnel list' and identify the tunnel.

For easier reading, a sample omitted output will be generated:

name=to10.183.4.123 ver=2 serial=1 172.16.1.1:0->10.183.4.123:0 tun_id=10.183.4.123 tun_id6=::10.183.4.123 dst_mtu=0 dpd-link=on weight=1
bound_if=0 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary
proxyid=to10.183.4.123 proto=0 sa=1 ref=2 serial=2 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
npu_flag=00 npu_rgwy=10.183.4.123 npu_lgwy=172.16.1.1 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0

Two key factors should be noted:

1. The bound_if value will always be 0 when a tunnel is bound on a loopback interface. Instead, if a VPN is bound to another type of interface, then this number reflects the index on that interface, which can be found on the command 'diagnose ip address list'.
   
   
2. The npu_flag indicates if the NPU is involved in the encryption and decryption of ESP packets. The most common values that can be observed are:
   
   1. npu_flag=00 means there is no hardware acceleration done, and IPsec SA is not being pushed to NP.
   2. npu_flag=01 means hardware acceleration is performed only in the outbound direction [encryption].
   3. npu_flag=02 means hardware acceleration is performed only in the inbound direction [decryption].
   4. npu_flag=03 means traffic is hardware-accelerated in both inbound & outbound directions.
   5. npu_flag=20 means unsupported cipher or HMAC, IPSec SA cannot be offloaded. 

In FortiOS v5.4.0 and later, the fields dec_npuid=x and enc_npuid=y indicate which NP6 processor holds the inbound and outbound IPsec Security Associations:

dec_npuid --> NP6 chip where the inbound SA (SA-dec) is installed.

enc_npuid --> NP6 chip where the outbound SA (SA-enc) is installed.

Example:

(dec|enc)_npuid = 0 → The corresponding SA (dec or enc) is not offloaded to NP6 hardware.

(dec|enc)_npuid = x → The SA is offloaded to NP6 chip number x, where NP6 numbering starts at np6_(x-1).

Example:

enc_npuid = 2 → outbound SA is on np6_1.

dec_npuid = enc_npuid = 2 → Both inbound and outbound SAs are offloaded to the second NP6 chip, which is np6_1.