Skip to main content
MartinsAppliances
MartinsAppliances
New Member
May 19, 2025
Question

Hardware Acceleration/Offloading for IPSec traffic over NPU VDOM Links with VLAN

  • May 19, 2025
  • 5 replies
  • 2409 views

We are trying to setup three VDOMS and would like IPSec traffic NPU offloaded between each of them using a FortiGate with a NP6XLite NPU.  My plan was to use NPU VDOM Links with VLANs. (https://community.fortinet.com/t5/FortiGate/Technical-Tip-Difference-and-understanding-between-NPU-Vdom-link/ta-p/212709).

 

The root VDOM has a public /30 address to access the Internet provider while the other two VDOM's use public IP's from a /27 block.  The Servers and PCs VDOM's would have an IPSec VPN to communicate between them.

 

Does anyone have a better way to do this?  I don't want to use physical interfaces between VDOM's (not enough bandwidth on 1Gbps Ethernet) and I want the traffic to be accelerated.

 

Thanks - I appreciate any guidance!

    edit "npu0_vlink0"         set vdom "root"         set type physical         set snmp-index 36     next     edit "npu0_vlink1"         set vdom "Servers"         set type physical         set snmp-index 37     next     edit "root-Servers"         set vdom "root"         set ip x.x.x.65 255.255.255.240         set allowaccess ping         set role wan         set snmp-index 71         set ip-managed-by-fortiipam disable         set interface "npu0_vlink0"         set vlanid 3000     next     edit "Servers-root"         set vdom "Servers"         set ip x.x.x.66 255.255.255.240         set allowaccess ping         set role wan         set snmp-index 72         set ip-managed-by-fortiipam disable         set interface "npu0_vlink1"         set vlanid 3000     next     edit "root-PCs"         set vdom "root"         set ip x.x.x.81 255.255.255.252         set allowaccess ping         set role wan         set snmp-index 73         set ip-managed-by-fortiipam disable         set interface "npu0_vlink0"         set vlanid 3001     next     edit "PCs-root"         set vdom "PCs"         set ip x.x.x.82 255.255.255.252         set allowaccess ping         set role wan         set snmp-index 74         set ip-managed-by-fortiipam disable         set interface "npu0_vlink1"         set vlanid 3001     next

 

 

 

5 replies

funkylicious
SuperUser
funkylicious
SuperUser
May 19, 2025

for traffic between subnets/devices behind the same FGT but on different vdoms i would just use simple inter-vdom links w/ vlans using the NPU and not do IPsec.

"jack of all trades, master of none"
MartinsAppliances
MartinsAppliancesAuthor
New Member
May 19, 2025

Thanks for your suggestion.  The reason for IPSec is because I want to include the communications between the VDOMs as part of an IPSec SDWAN Zone.  The PCs VDOM will communicate with the Server VDOM unless the connectivity is lost in which case the SDWAN will redirect the PCs to a remote facility via an IPSec tunnel.  To get that automated failover all IPSec tunnels needed to be under an SDWAN Zone - so the "local" VDOM-to-VDOM communications needed to be IPSec as well.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 19, 2025

    You want to make the vlan connections between VDOMs point-to-point. We always use /31 pbulic subnets for those npu-vlink VLANs, otherwise you waste your precious public IPs.

    Toshi

      MartinsAppliances
      MartinsAppliancesAuthor
      New Member
      May 19, 2025

      I am a /30 for the VDOM which only needs one public IP.  However, I am using a /28 for the Servers VDOM which needs VIPs.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      May 19, 2025

      For the link, you need only two IPs on both ends. That's why /31 works without wasting a subnet IP and a broadcast IP. The /28 probably works for VIPs as you intended. I would prefer using /31 for the interface and route the rest so that you can use both the interface IP and all 14 additional IPs for VIPs. I guess that's probably a matter of preference.

      Toshi 

      MartinsAppliances
      MartinsAppliancesAuthor
      New Member
      May 19, 2025

      I like the idea, because the extra IP's can be use individually and routed to whatever VDOM separately.  I was going to ask whether you meant to use /30's instead of /31's, but to my surprise the /31 is a valid subnet for FortiGates.  I was not aware that there was a use case for a /31's since the broadcast & network address would not allow for any usable IP's.  Comcast Fiber (for example), uses a /30 for their Point-to-Point networks.  Thanks for the good info!

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      May 19, 2025

      /31s are valid for most decent routers, not only major ones like Cisco, Juniper, etc. Only cheap modem/routers might not support it. Unless you need to use multicast protocols, you don't need a broadcast IP in the subnet. Even those protocols have options to work with point-to-point network, like OSPF.

      Toshi

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        May 19, 2025

        Oh, by the way, Lumen Technologies in our country started installing business internet circuits with a /31 public interface subnet if you order static IP since a couple of years ago. No more a /30 static subnet. Probably because they need to conserve available IPv4 addresses.

        Toshi

        Terms & ConditionsAccessibility statement