FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rteodorescu
Staff
Staff

Description

 

This article explains IPsec VPN offloading with AES-GCM encryption. For more information on Suite-B and other encryption algorithms supported by FortiOS, see Encryption Algorithms in the FortiOS Cookbook. For more information about FortiGate's CP9, CP9XLite and CP9Lite capabilities, see the user documentation.

Scope


For FortiGates with CP9, CP9XLite and CP9Lite ASIC.

Solution

 

Consider the following debug flow and session list:

 

Debug flow:


id=20085 trace_id=27 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet (proto=1, 10.191.35.71:1->2.2.2.2:2048) from mgmt. type=8, code=0, id=1, seq=26."
id=20085 trace_id=27 func=resolve_ip_tuple_fast line=5724 msg="Find an existing session, id-00015869, original direction"
id=20085 trace_id=27 func=npu_handle_session44 line=1164 msg="Trying to offloading session from mgmt to vpn-tunnel, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x03040000"
id=20085 trace_id=27 func=fw_forward_dirty_handler line=399 msg="state=00000204, state2=00000001, npu_state=03040000"
id=20085 trace_id=27 func=__ip_session_run_tuple line=3412 msg="SNAT 10.191.35.71->10.191.36.61:60417"
id=20085 trace_id=27 func=ipsecdev_hard_start_xmit line=788 msg="enter IPsec interface-vpn-tunnel"
id=20085 trace_id=27 func=esp_output4 line=927 msg="IPsec encrypt/auth"
id=20085 trace_id=27 func=ipsec_output_finish line=618 msg="send to 10.191.20.62 via intf-port2"

 

Session list:

 

session info: proto=1 proto_state=00 duration=24 expire=38 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=vpn-tunnel/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1 tuples=2
tx speed(Bps/kbps): 9/0 rx speed(Bps/kbps): 9/0
orgin->sink: org pre->post, reply pre->post dev=3->52/52->3 gwy=2.2.2.2/10.191.35.71
hook=post dir=org act=snat 10.191.35.71:1->2.2.2.2:8(10.191.36.61:60417)
hook=pre dir=reply act=dnat 2.2.2.2:60417->10.191.36.61:0(10.191.35.71:1)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=00015869 tos=ff/ff app_list=0 app=0 url_cat=0
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x3040000
no_ofld_reason:  non-npu-intf
total session 1

 

Stephen_G_0-1667576918673.png

 
According to the debug flow, the FortiGate is trying to offload the IPsec VPN traffic.
In the session list, it is possible to see that the NPU ASIC is not capable of handling the encryption in use.
 
The tunnel list also shows 'npu_flag=20'. IPsec SA cannot be offloaded to NPU because either the cipher or the HMAC is not supported by NPU.
 
Because AES-GCM encryption is handled only by the CP9 ASIC processor, it's possible to check the CP9 stats and see that the packets are offloaded correctly, both for encryption and decryption:
 
Stephen_G_1-1667577424055.png

 

Note:
Upon selecting AES-GCM on the FortiGate VPN settings, the authentication field will become unavailable. This is because AES-GCM provides both authenticated encryption (confidentiality and authentication) and the ability to check the integrity and authentication of additional authenticated data.

 

Contributors