Description
This article shows the new option on FortiOS 6.2 that forward Error Correction for IPsec VPN.
Forward Error Correction (FEC) is used to lower the packet loss ratio by consuming more bandwidth.
Solution
Six new parameters are added to the IPsec phase1-interface settings:
fec-ingress: Enable/disable Forward Error Correction for ingress IPsec traffic (default = disable).
fec-egress: Enable/disable Forward Error Correction for egress IPsec traffic (default = disable).
fec-base: The number of base Forward Error Correction packets (1 - 100, default = 20).
fec-redundant: The number of redundant Forward Error Correction packets (1 - 100, default = 10).
fec-send-timeout: The time before sending Forward Error Correction packets, in milliseconds (1 - 1000, default = 8).
fec-receive-timeout: The time before dropping Forward Error Correction packets, in milliseconds (1 - 10000, default = 5000).
This article shows the new option on FortiOS 6.2 that forward Error Correction for IPsec VPN.
Forward Error Correction (FEC) is used to lower the packet loss ratio by consuming more bandwidth.
Solution
Six new parameters are added to the IPsec phase1-interface settings:
fec-ingress: Enable/disable Forward Error Correction for ingress IPsec traffic (default = disable).
fec-egress: Enable/disable Forward Error Correction for egress IPsec traffic (default = disable).
fec-base: The number of base Forward Error Correction packets (1 - 100, default = 20).
fec-redundant: The number of redundant Forward Error Correction packets (1 - 100, default = 10).
fec-send-timeout: The time before sending Forward Error Correction packets, in milliseconds (1 - 1000, default = 8).
fec-receive-timeout: The time before dropping Forward Error Correction packets, in milliseconds (1 - 10000, default = 5000).
FEC is disabled by default. FortiGate supports unidirectional and bidirectional FEC, and achieves the expected packet loss ration and latency by tuning the above parameters.
Two checkboxes are added to the IPsec phase1 settings in the GUI:To configure FEC with the CLI:# config vpn ipsec phase1-interfaceTo debug the VPN tunnel:
edit "demo"
........................
set fec-egress enable
set fec-ingress enable
set fec-base 20
set fec-redundant 10
set fec-send-timeout 8
set fec-receive-timeout 5000
......................
next
end# FGT-A # diagnose vpn tunnel listNote:
list all ipsec tunnel in vd 0
------------------------------------------------------
name=demo ver=1 serial=1 172.16.200.1:0->172.16.200.2:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev frag-rfc fec-egress fec-ingress accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec-egress: base=20 redundant=10 remote_port=50000 <<<<<<<<<<<<<<<<<<<<<<
fec-ingress: base=20 redundant=10 <<<<<<<<<<<<<<<<<<<<<<
proxyid=demo proto=0 sa=1 ref=2 serial=1
src: 0:10.1.100.0/255.255.255.0:0
dst: 0:173.1.1.0/255.255.255.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555
ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4
enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329
ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
In order to be able to enable forward error correction, the npu-offload has to be disabled first.# config vpn ipsec phase1-interfaceThen FEC can be enabled.
edit <name>
set npu-offload disable
end# config vpn ipsec phase1-interface
edit <name>
set fec-egress enable
end
