Technical Tip: NP7/NP7Lite offloading for site-to-site VPN traffic - tunnel interface attached to EMAC-VLAN interface that is attached to IEEE 802.1Q VLAN Interface

Introduction:

In this setup, there's S2S IPsec VPN tunnel, where the tunnel interfaces are attached to an EMAC-VLAN interface. This EMAC-VLAN is attached to a physical-port on the Hub side , and a vlan-interface on the Spoke side. The objective is to confirm NP7 offloading support for the tunnel's traffic. The configuration and topology is as follows:

PC (10.10.201.2)------port6[Hub (FGT2601F)]Hub-----IPsec------Spoke[(FGT201G)]port6----PC (10.10.202.2)

Hub Interfaces:

Spoke Interfaces (same results achieved with the existence of IEEE802.1Q V):

Obtained Results:

FortiGate CLI commands output while running a continuous ping from source PC 10.10.201.2 to destination PC 10.10.202.2 over the tunnel follows (only relevant outputs shown).

Hub:

CLI:

diagnose sys session filter src 10.10.201.2

diagnose sys session filter dst 10.10.202.2

diagnose sys session list

Output:

hook=pre dir=org act=noop 10.10.201.2:2->10.10.202.2:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.10.202.2:2->10.10.201.2:0(0.0.0.0:0)
npu info: flag=0x82/0x81, offload=9/9, ips_offload=0/0, epid=3910/137, ipid=137/3942, vlan=0x0000/0x0000
vlifid=137/3942, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=19/6, ha_divert=0/0
hrx info: valid=1/1, qid=20/7, npuid=1/1, sublink=1/1

The npu info: field in the above session output indicates the session has been offloaded to NP7 hardware processor. In addition the npu_flag=03 below indicates the tunnel's IPsec SA was pushed to the NP7 ASIC.

CLI:

diagnose vpn tunnel list

Output:

name=Hub_0 ver=2 serial=2 100.101.2.6:0->100.101.2.5:0 nexthop=0.0.0.0 tun_id=10.10.2.2 tun_id6=::10.0.0.2
SA: ref=6 options=a26 type=00 soft=0 mtu=1438 expire=42780/0B replaywin=2048
seqno=18 esn=0 replaywin_lastseq=00000013 qat=0 rekey=0 hash_search_len=1
npu_flag=03 npu_rgwy=100.101.2.5:0 npu_lgwy=100.101.2.6:0 npu_selid=0

Spoke:

CLI:

diagnose sys session filter src 10.10.201.2

diagnose sys session filter dst 10.10.202.2

diagnose sys session list

Output:

hook=pre dir=org act=noop 10.10.201.2:2->10.10.202.2:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.10.202.2:2->10.10.201.2:0(0.0.0.0:0)
npu info: flag=0x81/0x82, offload=9/9, ips_offload=0/0, epid=8/438, ipid=454/8, vlan=0x0000/0x0000
vlifid=454/8, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=10/8, ha_divert=0/0

The npu info: field in the above session output indicates the session has been offloaded to NP7 ASIC. In addition the npu_flag=03 below indicates the tunnel's IPsec SA was pushed to the NP7 ASIC.

CLI:

diagnose vpn tunnel list

Output:

name=Spoke ver=2 serial=1 100.101.2.5:0->100.101.2.6:0 nexthop=0.0.0.0 tun_id=100.101.2.6 tun_id6=::100.101.2.6
SA: ref=6 options=12202 type=00 soft=0 mtu=1438 expire=42454/0B replaywin=2048
seqno=1b esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
npu_flag=03 npu_rgwy=100.101.2.6:0 npu_lgwy=100.101.2.6:0 npu_selid=0

The same results are achieved on running the traffic in the reverse direction, i.e., from a source PC behind the Spoke to a destination PC behind the Hub. 

The above was confirmed using factory-default (clean) configuration files with S2S IPsec setups with a basic, non-complex topology. In more advanced deployments - such as environments leveraging SD-WAN, VRRP, VRFs, or similar features—there may be functional limitations affecting NP7/NP7lite hardware offloading of tunnel traffic. These advanced design considerations are beyond the scope of this article.

Note: NP7/NP7Lite processors do not support offloading sessions that will pass through two EMAC-VLAN interfaces. For more information refer to NP7 fastpath and EMAC VLANs.