Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gpap_FTNT
Staff
Staff

Created on ‎10-29-2019 01:43 AM Edited on ‎02-03-2025 04:19 AM By Moderator

Article Id 191567

Technical Tip: Forward Error Correction for IPsec VPN

Description

 

This article describes the new option on FortiOS v6.2 that forwards Error Correction for IPsec VPN.
Forward Error Correction (FEC) is used to lower the packet loss ratio by consuming more bandwidth.

 

Scope

 

FortiGate.

Solution

 

Six new parameters are added to the IPsec phase1-interface settings:

fec-ingress: Enable/disable Forward Error Correction for ingress IPsec traffic (default = disable). fec-ingress waits for duplicate packets if the final packet is lost.
fec-egress: Enable/disable Forward Error Correction for egress IPsec traffic (default = disable). fec-engress sends duplicate packets. 
fec-base: The number of base Forward Error Correction packets (1 - 100, default = 20).
fec-redundant: The number of redundant Forward Error Correction packets (1 - 100, default = 10).
fec-send-timeout: The time before sending Forward Error Correction packets, in milliseconds (1 - 1000, default = 8).
fec-receive-timeout: The time before dropping Forward Error Correction packets, in milliseconds (1 - 10000, default = 5000).

 

FEC is disabled by default. FortiGate supports unidirectional and bidirectional FEC and achieves the expected packet loss ratio and latency by tuning the above parameters.

Two checkboxes are added to the IPsec phase1 settings in the GUI:

 

JeanPhilippe_P_0-1737544123317.png

 
To configure FEC with the CLI:
 
config vpn ipsec phase1-interface
    edit "demo"
    ........................
        set fec-egress enable
        set fec-ingress enable
        set fec-base 20
        set fec-redundant 10
        set fec-send-timeout 8
        set fec-receive-timeout 5000
    ......................
    next
end
 
To debug the VPN tunnel:
 
FGT-A # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=demo ver=1 serial=1 172.16.200.1:0->172.16.200.2:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev frag-rfc fec-egress fec-ingress  accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec-egress: base=20 redundant=10 remote_port=50000     <----
fec-ingress: base=20 redundant=10                                 <----
proxyid=demo proto=0 sa=1 ref=2 serial=1
  src: 0:10.1.100.0/255.255.255.0:0
  dst: 0:173.1.1.0/255.255.255.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1390 expire=42897/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42899/43200
  dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555
       ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4
  enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329
       ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
 
Note:
To be able to enable forward error correction, the npu-offload has to be disabled first.
 
config vpn ipsec phase1-interface
    edit <name>
        set npu-offload disable
end
 
Then FEC can be enabled.

config vpn ipsec phase1-interface
    edit <name>
        set fec-egress enable
end
 
Related article:
Labels:
18048
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.