Hi everyone - posted something but was "marked as spam" perhaps due to external HTML links. Posting again without the links.
Has anyone successfully set up AES-GCM encryption for Forticlient IPSec Phase 2 connection?
Seeing some per-core limitations for IPSec throughput using AES-CBC as it's not parallelizable and hoping that AES-GCM will be better on the client side. On a 1Gbps - 1Gbps connection a client 5900X Ryzen maxes out one core and limits throughput to about 650 Mbps.
We have a 100F so AES-GCM should be offloadable to SOC4 NP6Lite.
Hoping to get more throughput effciency. it's very confusing as to whether AES-GCM can be used with RADIUS xauth for MFA as well.
Also, does anyone know what the difference is between "suite-b gcm" and AES-GCM? are these the same? They are named differently on different Fortinet versions.
Thank you all in advance. Been trying to get this going for over 2 years now.
Hi @seatrope,
With the AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/238852/encryption-algorithms...
Regards,
Hi @hbac ,
Yes, I looked into this. The 100F has SOC4 which has NP6XLite I believe. This is what your linked page says:
Suite-B is a set of AES encryption with ICV in GCM mode. IPsec traffic can be offloaded on NP6XLite and NP7 platforms. They cannot be offloaded on other NP6 processors and below. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiOS supports:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.