Fortinet black logo

Cookbook

VPN and ASIC offload

VPN and ASIC offload

This topic provides a brief introduction to VPN traffic offloading.

IPsec traffic processed by NPU

  1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.
    # get hardware status 
    Model name: [[QualityAssurance62/FortiGate]]-900D
    ASIC version: CP8
    ASIC SRAM: 64M
    CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
    Number of CPUs: 4
    RAM: 16065 MB
    Compact Flash: 1925 MB /dev/sda
    Hard disk: 244198 MB /dev/sdb
    USB Flash: not available
    Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.) 
  2. Check port to NPU mapping.
    # diagnose npu np6 port-list 
    Chip   XAUI Ports            Max   Cross-chip 
                                 Speed offloading 
    ----
    np6_0  0    
            1.    port17           1G    Yes        
            1.    port18           1G    Yes        
            1.    port19           1G    Yes        
            1.    port20           1G    Yes        
            1.    port21           1G    Yes        
            1.    port22           1G    Yes        
            1.    port23           1G    Yes        
            1.    port24           1G    Yes        
            1.    port27           1G    Yes        
            1.    port28           1G    Yes        
            1.    port25           1G    Yes        
            1.    port26           1G    Yes        
            1.    port31           1G    Yes        
            1.    port32           1G    Yes        
            1.    port29           1G    Yes        
            1.    port30           1G    Yes        
            1.    portB            10G   Yes        
            1.    
    ----
    np6_1  0    
            1.    port1            1G    Yes        
            1.    port2            1G    Yes        
            1.    port3            1G    Yes        
            1.    port4            1G    Yes        
            1.    port5            1G    Yes        
            1.    port6            1G    Yes        
            1.    port7            1G    Yes        
            1.    port8            1G    Yes        
            1.    port11           1G    Yes        
            1.    port12           1G    Yes        
            1.    port9            1G    Yes        
            1.    port10           1G    Yes        
            1.    port15           1G    Yes        
            1.    port16           1G    Yes        
            1.    port13           1G    Yes        
            1.    port14           1G    Yes        
            1.    portA            10G   Yes        
            1.    
    ----
  3. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).
    config vpn ipsec phase1/phase1-interface
        edit "vpn_name" 
            set npu-offload enable/disable
        next
    end    
  4. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.
    # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ----
    name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
    bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu 
    proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0
    stat: rxp=12231 txp=12617 rxb=1316052 txb=674314
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=test proto=0 sa=1 ref=4 serial=7
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048
           seqno=802 esn=0 replaywin_lastseq=00000680 itn=0
      life: type=01 bytes=0/0 timeout=42930/43200
      dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958
           ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660
      enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529
           ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e
      dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826
      npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2
    
    FGT_900D # diagnose vpn ipsec st
    All ipsec crypto devices in use:
    NP6_0:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NP6_1:
        Encryption (encrypted/decrypted)
            null             : 14976            15357           
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 1664             2047            
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 1664             2047            
            sha1             : 14976            15357           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NPU Host Offloading:
        Encryption (encrypted/decrypted)
            null             : 3                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 3                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 3                 1.               
            sha1             : 3                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    CP8:
        Encryption (encrypted/decrypted)
            null             : 1                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 1                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 1                 1.               
            sha1             : 1                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    SOFTWARE:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 29882            29882           
            aria             : 21688            21688           
            seed             : 153774           153774          
            chacha20poly1305 : 29521            29521           
        Integrity (generated/validated)
            null             : 59403            59403           
            md5              : 0                 1.               
            sha1             : 175462           175462          
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
  5. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.

IPsec traffic processed by CP

  1. Check the NPU flag and CP counter.
    # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ----
    name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
    bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
    proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0
    stat: rxp=8418 txp=8418 rxb=1251248 txb=685896
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=test proto=0 sa=1 ref=3 serial=7
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=3 options=10226 type=00 soft=0 mtu=1438 expire=42037/0B replaywin=2048
           seqno=20e3 esn=0 replaywin_lastseq=000020e3 itn=0
      life: type=01 bytes=0/0 timeout=42928/43200
      dec: spi=e313ac48 esp=aes key=16 393770842f926266530db6e43e21c4f8
           ah=md5 key=16 b2e4e025e8910e95c1745e7855479cca
      enc: spi=706ffe05 esp=aes key=16 7ef749610335f9f50e252023926de29e
           ah=md5 key=16 0b81e4d835919ab2b8ba8edbd01aec9d
      dec:pkts/bytes=8418/685896, enc:pkts/bytes=8418/1251248
      npu_flag=00 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0
      
    FGT-D # diagnose vpn ipsec status 
    All ipsec crypto devices in use:
    NP6_0:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NP6_1:
        Encryption (encrypted/decrypted)
            null             : 14976            15357           
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 1664             2047            
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 1664             2047            
            sha1             : 14976            15357           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NPU Host Offloading:
        Encryption (encrypted/decrypted)
            null             : 3                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 3                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 3                 1.               
            sha1             : 3                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    CP8:
        Encryption (encrypted/decrypted)
            null             : 1                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 8499             8499            
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 8499             8499            
            sha1             : 1                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    SOFTWARE:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 29882            29882           
            aria             : 21688            21688           
            seed             : 153774           153774          
            chacha20poly1305 : 29521            29521           
        Integrity (generated/validated)
            null             : 59403            59403           
            md5              : 0                 1.               
            sha1             : 175462           175462          
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1. 
  2. Two options are used to control if the CP processes packets. If disabled, packets are processed by the CPU.
    config system global
        set ipsec-asic-offload disable
        set ipsec-hmac-offload disable
    end 

IPsec traffic processed by CPU

IPsec traffic might be processed by the CPU for the following reasons:

  • Some low end models do not have NPUs.
  • NPU offloading and CP IPsec traffic processing manually disabled.
  • Some types of proposals - SEED, ARIA, chacha20poly1305 - are not supported by the NPU or CP.
  • NPU flag set to 00 and software encrypt/decrypt counter ticked.
# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
----
name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=12162 txp=12162 rxb=1691412 txb=1008216
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=4 serial=8
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10602 type=00 soft=0 mtu=1453 expire=42903/0B replaywin=2048
       seqno=2d70 esn=0 replaywin_lastseq=00002d70 itn=0
  life: type=01 bytes=0/0 timeout=42931/43200
  dec: spi=e313ac4d esp=chacha20poly1305 key=36 812d1178784c1130d1586606e44e1b9ab157e31a09edbed583be1e9cc82e8c9f2655a2cf
       ah=null key=0 
  enc: spi=706ffe0a esp=chacha20poly1305 key=36 f2727e001e2243549b140f1614ae3df82243adb070e60c33911f461b389b05a7a642e11a
       ah=null key=0 
  dec:pkts/bytes=11631/976356, enc:pkts/bytes=11631/1627692
  npu_flag=00 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=7 dec_npuid=0 enc_npuid=0

FGT_900D # diagnose vpn ipsec status 
All ipsec crypto devices in use:
NP6_0:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 0                 1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 0                 1.               
        sha1             : 0                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NP6_1:
    Encryption (encrypted/decrypted)
        null             : 14976            15357           
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 1664             2047            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 1664             2047            
        sha1             : 14976            15357           
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NPU Host Offloading:
    Encryption (encrypted/decrypted)
        null             : 3                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 3                 1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 3                 1.               
        sha1             : 3                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

CP8:
    Encryption (encrypted/decrypted)
        null             : 1                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 8865             8865            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 8865             8865            
        sha1             : 1                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

SOFTWARE:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 531              531             
        aes-gcm          : 29882            29882           
        aria             : 21688            21688           
        seed             : 153774           153774          
        chacha20poly1305 : 41156            41156           
    Integrity (generated/validated)
        null             : 71038            71038           
        md5              : 531              531             
        sha1             : 175462           175462          
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

Disable automatic ASIC offloading

When auto-asic-offload is set to disable in the firewall policy, traffic is not offloaded and the NPU hosting counter is ticked.

# diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6_0:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 0                 1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 0                 1.               
        sha1             : 0                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NP6_1:
    Encryption (encrypted/decrypted)
        null             : 14976            15357           
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 110080           2175            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 110080           2175            
        sha1             : 14976            15357           
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NPU Host Offloading:
    Encryption (encrypted/decrypted)
        null             : 3                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 111090            1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 111090            1.               
        sha1             : 3                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

CP8:
    Encryption (encrypted/decrypted)
        null             : 1                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 8865             8865            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 8865             8865            
        sha1             : 1                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

SOFTWARE:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 539              539             
        aes-gcm          : 29882            29882           
        aria             : 21688            21688           
        seed             : 153774           153774          
        chacha20poly1305 : 41259            41259           
    Integrity (generated/validated)
        null             : 71141            71141           
        md5              : 539              539             
        sha1             : 175462           175462          
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

VPN and ASIC offload

VPN and ASIC offload

This topic provides a brief introduction to VPN traffic offloading.

IPsec traffic processed by NPU

  1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.
    # get hardware status 
    Model name: [[QualityAssurance62/FortiGate]]-900D
    ASIC version: CP8
    ASIC SRAM: 64M
    CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
    Number of CPUs: 4
    RAM: 16065 MB
    Compact Flash: 1925 MB /dev/sda
    Hard disk: 244198 MB /dev/sdb
    USB Flash: not available
    Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.) 
  2. Check port to NPU mapping.
    # diagnose npu np6 port-list 
    Chip   XAUI Ports            Max   Cross-chip 
                                 Speed offloading 
    ----
    np6_0  0    
            1.    port17           1G    Yes        
            1.    port18           1G    Yes        
            1.    port19           1G    Yes        
            1.    port20           1G    Yes        
            1.    port21           1G    Yes        
            1.    port22           1G    Yes        
            1.    port23           1G    Yes        
            1.    port24           1G    Yes        
            1.    port27           1G    Yes        
            1.    port28           1G    Yes        
            1.    port25           1G    Yes        
            1.    port26           1G    Yes        
            1.    port31           1G    Yes        
            1.    port32           1G    Yes        
            1.    port29           1G    Yes        
            1.    port30           1G    Yes        
            1.    portB            10G   Yes        
            1.    
    ----
    np6_1  0    
            1.    port1            1G    Yes        
            1.    port2            1G    Yes        
            1.    port3            1G    Yes        
            1.    port4            1G    Yes        
            1.    port5            1G    Yes        
            1.    port6            1G    Yes        
            1.    port7            1G    Yes        
            1.    port8            1G    Yes        
            1.    port11           1G    Yes        
            1.    port12           1G    Yes        
            1.    port9            1G    Yes        
            1.    port10           1G    Yes        
            1.    port15           1G    Yes        
            1.    port16           1G    Yes        
            1.    port13           1G    Yes        
            1.    port14           1G    Yes        
            1.    portA            10G   Yes        
            1.    
    ----
  3. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).
    config vpn ipsec phase1/phase1-interface
        edit "vpn_name" 
            set npu-offload enable/disable
        next
    end    
  4. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.
    # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ----
    name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
    bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu 
    proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0
    stat: rxp=12231 txp=12617 rxb=1316052 txb=674314
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=test proto=0 sa=1 ref=4 serial=7
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048
           seqno=802 esn=0 replaywin_lastseq=00000680 itn=0
      life: type=01 bytes=0/0 timeout=42930/43200
      dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958
           ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660
      enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529
           ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e
      dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826
      npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2
    
    FGT_900D # diagnose vpn ipsec st
    All ipsec crypto devices in use:
    NP6_0:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NP6_1:
        Encryption (encrypted/decrypted)
            null             : 14976            15357           
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 1664             2047            
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 1664             2047            
            sha1             : 14976            15357           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NPU Host Offloading:
        Encryption (encrypted/decrypted)
            null             : 3                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 3                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 3                 1.               
            sha1             : 3                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    CP8:
        Encryption (encrypted/decrypted)
            null             : 1                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 1                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 1                 1.               
            sha1             : 1                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    SOFTWARE:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 29882            29882           
            aria             : 21688            21688           
            seed             : 153774           153774          
            chacha20poly1305 : 29521            29521           
        Integrity (generated/validated)
            null             : 59403            59403           
            md5              : 0                 1.               
            sha1             : 175462           175462          
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
  5. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.

IPsec traffic processed by CP

  1. Check the NPU flag and CP counter.
    # diagnose vpn tunnel list 
    list all ipsec tunnel in vd 0
    ----
    name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
    bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
    proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0
    stat: rxp=8418 txp=8418 rxb=1251248 txb=685896
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=test proto=0 sa=1 ref=3 serial=7
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=3 options=10226 type=00 soft=0 mtu=1438 expire=42037/0B replaywin=2048
           seqno=20e3 esn=0 replaywin_lastseq=000020e3 itn=0
      life: type=01 bytes=0/0 timeout=42928/43200
      dec: spi=e313ac48 esp=aes key=16 393770842f926266530db6e43e21c4f8
           ah=md5 key=16 b2e4e025e8910e95c1745e7855479cca
      enc: spi=706ffe05 esp=aes key=16 7ef749610335f9f50e252023926de29e
           ah=md5 key=16 0b81e4d835919ab2b8ba8edbd01aec9d
      dec:pkts/bytes=8418/685896, enc:pkts/bytes=8418/1251248
      npu_flag=00 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0
      
    FGT-D # diagnose vpn ipsec status 
    All ipsec crypto devices in use:
    NP6_0:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NP6_1:
        Encryption (encrypted/decrypted)
            null             : 14976            15357           
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 1664             2047            
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 1664             2047            
            sha1             : 14976            15357           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NPU Host Offloading:
        Encryption (encrypted/decrypted)
            null             : 3                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 3                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 3                 1.               
            sha1             : 3                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    CP8:
        Encryption (encrypted/decrypted)
            null             : 1                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 8499             8499            
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 8499             8499            
            sha1             : 1                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    SOFTWARE:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 29882            29882           
            aria             : 21688            21688           
            seed             : 153774           153774          
            chacha20poly1305 : 29521            29521           
        Integrity (generated/validated)
            null             : 59403            59403           
            md5              : 0                 1.               
            sha1             : 175462           175462          
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1. 
  2. Two options are used to control if the CP processes packets. If disabled, packets are processed by the CPU.
    config system global
        set ipsec-asic-offload disable
        set ipsec-hmac-offload disable
    end 

IPsec traffic processed by CPU

IPsec traffic might be processed by the CPU for the following reasons:

  • Some low end models do not have NPUs.
  • NPU offloading and CP IPsec traffic processing manually disabled.
  • Some types of proposals - SEED, ARIA, chacha20poly1305 - are not supported by the NPU or CP.
  • NPU flag set to 00 and software encrypt/decrypt counter ticked.
# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
----
name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=12162 txp=12162 rxb=1691412 txb=1008216
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=4 serial=8
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10602 type=00 soft=0 mtu=1453 expire=42903/0B replaywin=2048
       seqno=2d70 esn=0 replaywin_lastseq=00002d70 itn=0
  life: type=01 bytes=0/0 timeout=42931/43200
  dec: spi=e313ac4d esp=chacha20poly1305 key=36 812d1178784c1130d1586606e44e1b9ab157e31a09edbed583be1e9cc82e8c9f2655a2cf
       ah=null key=0 
  enc: spi=706ffe0a esp=chacha20poly1305 key=36 f2727e001e2243549b140f1614ae3df82243adb070e60c33911f461b389b05a7a642e11a
       ah=null key=0 
  dec:pkts/bytes=11631/976356, enc:pkts/bytes=11631/1627692
  npu_flag=00 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=7 dec_npuid=0 enc_npuid=0

FGT_900D # diagnose vpn ipsec status 
All ipsec crypto devices in use:
NP6_0:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 0                 1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 0                 1.               
        sha1             : 0                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NP6_1:
    Encryption (encrypted/decrypted)
        null             : 14976            15357           
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 1664             2047            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 1664             2047            
        sha1             : 14976            15357           
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NPU Host Offloading:
    Encryption (encrypted/decrypted)
        null             : 3                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 3                 1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 3                 1.               
        sha1             : 3                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

CP8:
    Encryption (encrypted/decrypted)
        null             : 1                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 8865             8865            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 8865             8865            
        sha1             : 1                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

SOFTWARE:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 531              531             
        aes-gcm          : 29882            29882           
        aria             : 21688            21688           
        seed             : 153774           153774          
        chacha20poly1305 : 41156            41156           
    Integrity (generated/validated)
        null             : 71038            71038           
        md5              : 531              531             
        sha1             : 175462           175462          
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

Disable automatic ASIC offloading

When auto-asic-offload is set to disable in the firewall policy, traffic is not offloaded and the NPU hosting counter is ticked.

# diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6_0:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 0                 1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 0                 1.               
        sha1             : 0                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NP6_1:
    Encryption (encrypted/decrypted)
        null             : 14976            15357           
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 110080           2175            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 110080           2175            
        sha1             : 14976            15357           
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

NPU Host Offloading:
    Encryption (encrypted/decrypted)
        null             : 3                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 111090            1.               
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 111090            1.               
        sha1             : 3                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

CP8:
    Encryption (encrypted/decrypted)
        null             : 1                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 8865             8865            
        aes-gcm          : 0                 1.               
        aria             : 0                 1.               
        seed             : 0                 1.               
        chacha20poly1305 : 0                 1.               
    Integrity (generated/validated)
        null             : 0                 1.               
        md5              : 8865             8865            
        sha1             : 1                 1.               
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.               

SOFTWARE:
    Encryption (encrypted/decrypted)
        null             : 0                 1.               
        des              : 0                 1.               
        3des             : 0                 1.               
        aes              : 539              539             
        aes-gcm          : 29882            29882           
        aria             : 21688            21688           
        seed             : 153774           153774          
        chacha20poly1305 : 41259            41259           
    Integrity (generated/validated)
        null             : 71141            71141           
        md5              : 539              539             
        sha1             : 175462           175462          
        sha256           : 0                 1.               
        sha384           : 0                 1.               
        sha512           : 0                 1.