Hi all,
Has anyone successfully set up AES-GCM encryption for Forticlient IPSec Phase 2 connection?
Seeing some per-core limitations for IPSec throughput using AES-CBC as it's not parallelizable and hoping that AES-GCM will be better on the client side. On a 1Gbps - 1Gbps connection a client 5900X Ryzen maxes out one core and limits throughput to about 650 Mbps.
We have a 100F so AES-GCM should be offloadable to SOC4 NP6Lite.
Here are some links to improved efficiency and performance with GCM.
https://calomel.org/aesni_ssl_performance.html
https://layer77.net/2020/06/16/vpn-throughput-tests-palo-alto-vm-300-to-gcp/
Thanks all!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Setting up AES-GCM encryption for a FortiClient IPSec Phase 2 connection is indeed feasible and can offer performance benefits over AES-CBC, especially in high-throughput scenarios. AES-GCM (Galois/Counter Mode) is known for its efficiency and ability to be parallelized, which can lead to better performance on multi-core processors like the Ryzen 5900X you mentioned.
Given your situation, where AES-CBC is maxing out a single core and limiting throughput, switching to AES-GCM should help in better distributing the load across multiple cores, potentially increasing the throughput closer to your 1Gbps target.
Regarding the FortiGate 100F, it is equipped with the SOC4 NP6Lite, which supports hardware acceleration for AES-GCM. This means that the encryption and decryption processes can be offloaded to the hardware, further improving performance and freeing up CPU resources on your FortiGate device.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.