FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article is explaining the behaviour of SoC5 (NP7lite) platforms when vpn-id-ipip encapsulation is configured on IPsec tunnel(s).
Scope
FortiOS versions earlier than 7.4.8,
FortiOS version 7.6.0,
FortiOs version 7.2 all.
Solution
Encapsulation vpn-id-ipip was added as new feature starting in FortiOS version 7.2.0 and is included in all the releases after.
Specifically for SoC5 (NP7lite) platforms offloading does not support acceleration of IPIP in versions earlier than 7.4.8 and for 7.6.0.
In this case, when vpn-id-ipip is configured on an IPsec tunnel, the npu-offload should be disabled under phase1, as packet loss will otherwise be observed.
config vpn ipsec phase1-interface edit "tunnel" set type dynamic set interface "vlan1" set peertype any set net-device disable set proposal aes128-sha256 set add-route disable set npu-offload disable <----- set dhgrp 5 set auto-discovery-sender enable set auto-discovery-offer-interval 10 set encapsulation vpn-id-ipip <----- set psksecret ENC xxxxxxxxxx next end
In FortiOS version 7.6.1 and above, and for the 7.4 train starting from v7.4.8, the npu-offload can be enabled since IPIP acceleration is supported.
