|
For FortiGates with NP6 or NP6lite and NP7 (FortiOS up to 7.0.5. or 7.2.0), when IPSec VPN is configured with the source interface as a Loopback interface, then may lead to performance issues as the loopback interface does not support hardware acceleration.
It is recommended to configure IPSec on npu-vlink in case of multi-VDOM or use a Physical interface.
For devices with NP7, running on FortiOS 7.0.6 and 7.2.1 and above, hardware acceleration is supported on Loopback interfaces.
In order to verify such configuration in your unit, you may issue the command "diagnose vpn tunnel list" and identify your tunnel.
For easier reading, a sample omitted output will be generated:
name=to10.183.4.123 ver=2 serial=1 172.16.1.1:0->10.183.4.123:0 tun_id=10.183.4.123 tun_id6=::10.183.4.123 dst_mtu=0 dpd-link=on weight=1
bound_if=0 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary
proxyid=to10.183.4.123 proto=0 sa=1 ref=2 serial=2 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
npu_flag=00 npu_rgwy=10.183.4.123 npu_lgwy=172.16.1.1 npu_selid=1 dec_npuid=0 enc_npuid=0
run_tally=0
There are two key factors that should be noted:
- The bound_if value will be always 0 when a tunnel is bound on a loopback interface. Instead, if a VPN is bound on another type of interface then this number reflects the index on that interface which can be found on the command 'diagnose ip address list'.
- The npu_flag indicates if the NPU is involved in the encryption and decryption of ESP packets, the most common values which can be observed are:
- npu_flag=00 means there is no hardware acceleration done, and IPsec SA is not being pushed to NP.
- npu_flag=01 means hardware acceleration is performed only in the outbound direction [encryption].
- npu_flag=02 means hardware acceleration is performed only in the inbound direction [decryption].
- npu_flag=03 means traffic is hardware accelerated in both inbound & outbound directions.
|
