Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
seatrope
New Contributor

AES-GCM for Forticlient IPSec?

Hi everyone - posted something but was "marked as spam" perhaps due to external HTML links. Posting again without the links.

Has anyone successfully set up AES-GCM encryption for Forticlient IPSec Phase 2 connection?

Seeing some per-core limitations for IPSec throughput using AES-CBC as it's not parallelizable and hoping that AES-GCM will be better on the client side. On a 1Gbps - 1Gbps connection a client 5900X Ryzen maxes out one core and limits throughput to about 650 Mbps.

We have a 100F so AES-GCM should be offloadable to SOC4 NP6Lite.

Hoping to get more throughput effciency. it's very confusing as to whether AES-GCM can be used with RADIUS xauth for MFA as well. 

Also, does anyone know what the difference is between "suite-b gcm" and AES-GCM? are these the same? They are named differently on different Fortinet versions.

Thank you all in advance. Been trying to get this going for over 2 years now.

2 REPLIES 2
hbac
Staff
Staff

Hi @seatrope,

 

With the AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/238852/encryption-algorithms...

 

Regards, 

seatrope
New Contributor

Hi @hbac ,

 

Yes, I looked into this. The 100F has SOC4 which has NP6XLite I believe. This is what your linked page says:

Suite-B is a set of AES encryption with ICV in GCM mode. IPsec traffic can be offloaded on NP6XLite and NP7 platforms. They cannot be offloaded on other NP6 processors and below. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiOS supports:

Top Kudoed Authors