Skip to main content
MahmutKarali
MahmutKarali
Explorer
February 4, 2026
Question

Enable IPsec NPU offload

  • February 4, 2026
  • 4 replies
  • 778 views

I have a Fortios 7.6.4 Fortigate 60F device, so I want to use NPU hardware in the IPsec configuration, which has 2 RAM limitations. I manage it with my Fortilink VLANs.
I want to establish an IPsec connection. How can I establish an NPU-compatible IPsec connection? Are MTU and MSS values important? They are very important to me.

Please help me with IPsec NPU offload.

4 replies

kaman
Staff
kaman
Staff
February 8, 2026

Hi MahmutKarali,

You can enable IPsec NPU offload with the help of the following command:

config vpn ipsec phase1-interface
edit phase-1-name
set npu-offload enable
end


Please refer to the document below on how to ensure that IPsec traffic is offloaded for improved throughput:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPsec-traffic-is-offloaded-for-improved/ta-p/193493


If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

    MahmutKarali
    MahmutKaraliAuthor
    Explorer
    February 10, 2026

    I still don't understand the problem. I've done all these steps, but it's not working. I've been looking at this for days.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    February 10, 2026

    is your wan PPPoE ? if yes, then that might be a issue.

    are you using security profiles on the rules?

    can you share, diagnose vpn tunnel list , diagnose vpn ipsec status 

    "jack of all trades, master of none"
    MahmutKarali
    MahmutKaraliAuthor
    Explorer
    February 10, 2026

    By canceling the ISP modem and directly connecting the fiber connection to the Fortigate 60F WAN port, I created a VLAN under the 0.0.0.0 / 0.0.0.0 WAN port. Then I configured the IPsec settings as IKEv2 and AES 128 SHA 256, enabled it as NPU and policy, disabled NAT, and set SSL to no. - I selected Inception and did not make any further adjustments.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    February 10, 2026

    is the traffic not offloaded for all or only certain traffic?

    "jack of all trades, master of none"
    MahmutKarali
    MahmutKaraliAuthor
    Explorer
    February 10, 2026

    None of them are using IPsec connections with NPU.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    February 10, 2026

    is the destination or source locally on the FGT defined on a software switch maybe?

    "jack of all trades, master of none"
    Terms & ConditionsAccessibility statement