Created on 09-10-2021 02:43 AM Edited on 11-04-2022 09:11 AM By Stephen_G
Description
This article explains IPsec VPN offloading with AES-GCM encryption. For more information on Suite-B and other encryption algorithms supported by FortiOS, see Encryption Algorithms in the FortiOS Cookbook. For more information about FortiGate's CP9, CP9XLite and CP9Lite capabilities, see the user documentation.
Scope
For FortiGates with CP9, CP9XLite and CP9Lite ASIC.
Solution
Consider the following debug flow and session list:
Debug flow:
id=20085 trace_id=27 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet (proto=1, 10.191.35.71:1->2.2.2.2:2048) from mgmt. type=8, code=0, id=1, seq=26."
id=20085 trace_id=27 func=resolve_ip_tuple_fast line=5724 msg="Find an existing session, id-00015869, original direction"
id=20085 trace_id=27 func=npu_handle_session44 line=1164 msg="Trying to offloading session from mgmt to vpn-tunnel, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x03040000"
id=20085 trace_id=27 func=fw_forward_dirty_handler line=399 msg="state=00000204, state2=00000001, npu_state=03040000"
id=20085 trace_id=27 func=__ip_session_run_tuple line=3412 msg="SNAT 10.191.35.71->10.191.36.61:60417"
id=20085 trace_id=27 func=ipsecdev_hard_start_xmit line=788 msg="enter IPsec interface-vpn-tunnel"
id=20085 trace_id=27 func=esp_output4 line=927 msg="IPsec encrypt/auth"
id=20085 trace_id=27 func=ipsec_output_finish line=618 msg="send to 10.191.20.62 via intf-port2"
Session list:
session info: proto=1 proto_state=00 duration=24 expire=38 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=vpn-tunnel/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1 tuples=2
tx speed(Bps/kbps): 9/0 rx speed(Bps/kbps): 9/0
orgin->sink: org pre->post, reply pre->post dev=3->52/52->3 gwy=2.2.2.2/10.191.35.71
hook=post dir=org act=snat 10.191.35.71:1->2.2.2.2:8(10.191.36.61:60417)
hook=pre dir=reply act=dnat 2.2.2.2:60417->10.191.36.61:0(10.191.35.71:1)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=00015869 tos=ff/ff app_list=0 app=0 url_cat=0
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x3040000
no_ofld_reason: non-npu-intf
total session 1
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.