Dialup IPSec VPN and NPU acceleration

Forum|Forum|9 years ago
December 7, 2016
1 reply
3803 views

Hi folks,

I have a FGR-60D running FOS 5.4 connected on a 100Mbps internet symetric fiber link. My objective is use it to create a dialup IPSec VPN for about 50 users connected with native Windows and native Android VPN clients.

My question:

On lab tests, connecting a VPN client trough a 1Gbps switch link (no internet) and trying to download a file from FTP server, I had only 70Mbps with 100% CPU (impossible to manage).

I supose that this high CPU load is quite abnormal, and could be caused by something related on lack of hardware accelerating.

I read a lot about NPU and hardware acceleration, but I did not realize if I can use NPU offloading on a dialup VPN (with native client) or just on a site-to-site VPN, or at least using FortiClient VPN software;

Have I missed something? Any suggestions?

5.4

Toshi_Esumi

SuperUser

One thing I could suggest is testing the test environment first without VPN just routing through but includes all component you used to test VPN. Since it's LAB environment you should be able to do it. Does it show much better number? Like 800Mbps?

batiatiAuthor

New Member

You are damn right!!

First I connected two lab computers on port1 and port2 of internal switch of FGR60D [strike]and did achieve the same 70Mbps as I had with VPN, but with low CPU consumption.[/strike]

EDIT: My bad, I had connected trough a 100Mbps switch ... connecting directly to port1 and port2 they reached 1Gbps downloading from FTP, without VPN.

Then I connected the same computers on a gigabit switch and did achive 1Gbps.

[strike]So, it suggests something on Fortigate internal switch, that already is a Hardware Switch interface type.[/strike]

Many thanks

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded