Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ddabhade
Staff
Staff

Created on ‎04-07-2022 05:37 AM Edited on ‎11-25-2025 02:21 AM By Community Manager

Article Id 208677

Technical Tip: Information about IPsec on loopback interface and hardware acceleration

Description This article describes when Hardware Acceleration for IPsec is configured on the Loopback interface.
Scope FortiGate.
Solution

For FortiGates with NP6 or NP6lite and NP7 (FortiOS up to v7.0.5 or v7.2.0), when IPsec VPN is configured with the source interface as a Loopback interface, this may lead to performance issues as the loopback interface does not support hardware acceleration.

It is recommended to configure IPsec to use a Physical interface.

 

For devices with NP7 running on FortiOS v7.0.6 and v7.2.1 and above, hardware acceleration is supported on Loopback interfaces.

 

In order to verify such a configuration in the unit, issue the command 'diagnose vpn tunnel list' and identify the tunnel.

 

For easier reading, a sample omitted output will be generated:

 

name=to10.183.4.123 ver=2 serial=1 172.16.1.1:0->10.183.4.123:0 tun_id=10.183.4.123 tun_id6=::10.183.4.123 dst_mtu=0 dpd-link=on weight=1
bound_if=0 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary
proxyid=to10.183.4.123 proto=0 sa=1 ref=2 serial=2 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
npu_flag=00 npu_rgwy=10.183.4.123 npu_lgwy=172.16.1.1 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0

 

Two key factors should be noted:

 

  1. The bound_if value will always be 0 when a tunnel is bound on a loopback interface. Instead, if a VPN is bound to another type of interface, then this number reflects the index on that interface, which can be found on the command 'diagnose ip address list'.

  2. The npu_flag indicates if the NPU is involved in the encryption and decryption of ESP packets. The most common values that can be observed are:
    1. npu_flag=00 means there is no hardware acceleration done, and IPsec SA is not being pushed to NP.
    2. npu_flag=01 means hardware acceleration is performed only in the outbound direction [encryption].
    3. npu_flag=02 means hardware acceleration is performed only in the inbound direction [decryption].
    4. npu_flag=03 means traffic is hardware-accelerated in both inbound & outbound directions.

 

In FortiOS v5.4.0 and later, the fields dec_npuid=x and enc_npuid=y indicate which NP6 processor holds the inbound and outbound IPsec Security Associations:

 

dec_npuid --> NP6 chip where the inbound SA (SA-dec) is installed.

enc_npuid --> NP6 chip where the outbound SA (SA-enc) is installed.

 

Example:

 

(dec|enc)_npuid = 0 → The corresponding SA (dec or enc) is not offloaded to NP6 hardware.

(dec|enc)_npuid = x → The SA is offloaded to NP6 chip number x, where NP6 numbering starts at np6_(x-1).

 

Example:

 

enc_npuid = 2 → outbound SA is on np6_1.

dec_npuid = enc_npuid = 2 → Both inbound and outbound SAs are offloaded to the second NP6 chip, which is np6_1.

 

Labels:
10362
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.