Fortigate 200B - problem with IPsec Hardware Acceleration

Question

Hello!

I have a problem with IPsec Hardware Acceleration on my Fortigate 200B device (Version: FortiGate-200B v5.2.9,build0736,160906 (GA)). Two FortiGate 200B device are in HA cluster in Active-Active mode and my IPsec tunnel from Central Location to Branch works, but the traffic not offloaded to Network Processor. Same problem occur when I configure IPsec tunnel on FortiGate 200B single device. Port15 are configure for LAN and port16 for WAN network.

Tunnel are configure using "Custom VPN Tunnel (No Template)".

Thank you in advance for the help!

FGT-200B-1 # sh vpn ipsec phase1-interface config vpn ipsec phase1-interface edit "Branch_VPN" set interface "port16" set local-gw CENTRAL-LOCATION-PUBLIC-IP set keylife 28800 set proposal 3des-md5 aes128-sha1 set dhgrp 5 set remote-gw BRANCH-PUBLIC-IP set psksecret ENC v56zZzqi+xWPgYhGy2XJJE3eeJhwWnBr5YTeHHAiIahMKmGXb0WGYXCMWpvLu2apeJH0RyhdCvBbzl/EB9NozsCNEzERUN0W3byqOGY83xwYR3wPhPv688KQshzJTYanTUiEU4h765RIUSKdj80YTUGMUhh0MEEKupfDUubVtlB/ next end

FGT-200B-1 # diagnose vpn ipsec status All ipsec crypto devices in use: NP2-0 null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0 NPU HARDWARE null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0 CP6 null: 0 0 des: 0 0 3des: 11112 4148 aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0 md5: 11112 4148 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0 SOFTWARE: null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0

FGT-200B-1 # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=Branch_VPN_VPN ver=1 serial=1 CENTRAL-LOCATION-PUBLIC-IP:0->BRANCH-PUBLIC-IP:0 lgwy=static tun=intf mode=auto bound_if=9 proxyid_num=1 child_num=0 refcnt=40 ilast=3 olast=3 stat: rxp=4151 txp=11123 rxb=551392 txb=723863 dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=3269 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=Branch_VPN_ph2 proto=0 sa=1 ref=2 serial=2 src: 0:192.168.5.0/255.255.255.0:0 dst: 0:10.200.1.0/255.255.255.0:0 SA: ref=37 options=0000000e type=00 soft=0 mtu=1446 expire=889/0B replaywin=1024 seqno=16a life: type=01 bytes=0/0 timeout=1749/1800 dec: spi=1e2a1f58 esp=3des key=24 bc4751192de0f258ece9e71ee6f77f753f700555d63aa60f ah=md5 key=16 2b191f2a928f5216a57c280bc24e8611 enc: spi=4989b8c2 esp=3des key=24 5ab8ea4fa68d76104062d6466fc845cea5bc40b741674900 ah=md5 key=16 4481700fff05d01dd5c77dc4b5b44e28 dec:pkts/bytes=124/9752, enc:pkts/bytes=361/43408 npu_flag=20 npu_rgwy=BRANCH-PUBLIC-IP npu_lgwy=CENTRAL-LOCATION-PUBLIC-IP npu_selid=1 dec_npuid=0 enc_npuid=0 FGT-200B-1 # get system npu enc-offload-antireplay: enable dec-offload-antireplay: enable offload-ipsec-host : enable

FGT-200B-1 # show firewall policy config firewall policy edit 1 set srcintf "port15" set dstintf "Branch_VPN" set srcaddr "LAN" set dstaddr "LAN_Branch" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "LAN to LAN_Branch" next edit 2 set srcintf "Branch_VPN" set dstintf "port15" set srcaddr "LAN_Branch" set dstaddr "LAN" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "LAN_Branch to LAN" next end

FGT-200B-1 # show router static config router static edit 1 set gateway PUBLIC-GTW-IP set device "port16" next edit 2 set dst 10.200.1.0 255.255.255.0 set device "Branch_VPN" next end

ede_pfau · Answer

Why do you suspect that IPsec traffic is not offloaded?Counters of CP6 show that 3DES and MD5 are handled by the ASIC.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded