VPN and ASIC offload
This topic provides a brief introduction to VPN traffic offloading.
IPsec traffic processed by NPU
- Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.
# get hardware status Model name: [[QualityAssurance62/FortiGate]]-900D ASIC version: CP8 ASIC SRAM: 64M CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz Number of CPUs: 4 RAM: 16065 MB Compact Flash: 1925 MB /dev/sda Hard disk: 244198 MB /dev/sdb USB Flash: not available Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)
- Check port to NPU mapping.
# diagnose npu np6 port-list Chip XAUI Ports Max Cross-chip Speed offloading ---- np6_0 0 1. port17 1G Yes 1. port18 1G Yes 1. port19 1G Yes 1. port20 1G Yes 1. port21 1G Yes 1. port22 1G Yes 1. port23 1G Yes 1. port24 1G Yes 1. port27 1G Yes 1. port28 1G Yes 1. port25 1G Yes 1. port26 1G Yes 1. port31 1G Yes 1. port32 1G Yes 1. port29 1G Yes 1. port30 1G Yes 1. portB 10G Yes 1. ---- np6_1 0 1. port1 1G Yes 1. port2 1G Yes 1. port3 1G Yes 1. port4 1G Yes 1. port5 1G Yes 1. port6 1G Yes 1. port7 1G Yes 1. port8 1G Yes 1. port11 1G Yes 1. port12 1G Yes 1. port9 1G Yes 1. port10 1G Yes 1. port15 1G Yes 1. port16 1G Yes 1. port13 1G Yes 1. port14 1G Yes 1. portA 10G Yes 1. ---- - Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).
config vpn ipsec phase1/phase1-interface edit "vpn_name" set npu-offload enable/disable next end - Check NPU offloading. The NPU encrypted/decrypted counter should tick. The
npu_flag 03flag means that the traffic processed by the NPU is bi-directional.# diagnose vpn tunnel list list all ipsec tunnel in vd 0 ---- name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0 tun_id=11.101.1.1 bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0 life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660 enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2 FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0: Encryption (encrypted/decrypted) null : 0 1. des : 0 1. 3des : 0 1. aes : 0 1. aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 0 1. sha1 : 0 1. sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. NP6_1: Encryption (encrypted/decrypted) null : 14976 15357 des : 0 1. 3des : 0 1. aes : 1664 2047 aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 1664 2047 sha1 : 14976 15357 sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. NPU Host Offloading: Encryption (encrypted/decrypted) null : 3 1. des : 0 1. 3des : 0 1. aes : 3 1. aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 3 1. sha1 : 3 1. sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. CP8: Encryption (encrypted/decrypted) null : 1 1. des : 0 1. 3des : 0 1. aes : 1 1. aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 1 1. sha1 : 1 1. sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. SOFTWARE: Encryption (encrypted/decrypted) null : 0 1. des : 0 1. 3des : 0 1. aes : 0 1. aes-gcm : 29882 29882 aria : 21688 21688 seed : 153774 153774 chacha20poly1305 : 29521 29521 Integrity (generated/validated) null : 59403 59403 md5 : 0 1. sha1 : 175462 175462 sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. - If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.
IPsec traffic processed by CP
- Check the NPU flag and CP counter.
# diagnose vpn tunnel list list all ipsec tunnel in vd 0 ---- name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0 tun_id=11.101.1.1 bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0 stat: rxp=8418 txp=8418 rxb=1251248 txb=685896 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=3 serial=7 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=42037/0B replaywin=2048 seqno=20e3 esn=0 replaywin_lastseq=000020e3 itn=0 life: type=01 bytes=0/0 timeout=42928/43200 dec: spi=e313ac48 esp=aes key=16 393770842f926266530db6e43e21c4f8 ah=md5 key=16 b2e4e025e8910e95c1745e7855479cca enc: spi=706ffe05 esp=aes key=16 7ef749610335f9f50e252023926de29e ah=md5 key=16 0b81e4d835919ab2b8ba8edbd01aec9d dec:pkts/bytes=8418/685896, enc:pkts/bytes=8418/1251248 npu_flag=00 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0 FGT-D # diagnose vpn ipsec status All ipsec crypto devices in use: NP6_0: Encryption (encrypted/decrypted) null : 0 1. des : 0 1. 3des : 0 1. aes : 0 1. aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 0 1. sha1 : 0 1. sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. NP6_1: Encryption (encrypted/decrypted) null : 14976 15357 des : 0 1. 3des : 0 1. aes : 1664 2047 aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 1664 2047 sha1 : 14976 15357 sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. NPU Host Offloading: Encryption (encrypted/decrypted) null : 3 1. des : 0 1. 3des : 0 1. aes : 3 1. aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 3 1. sha1 : 3 1. sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. CP8: Encryption (encrypted/decrypted) null : 1 1. des : 0 1. 3des : 0 1. aes : 8499 8499 aes-gcm : 0 1. aria : 0 1. seed : 0 1. chacha20poly1305 : 0 1. Integrity (generated/validated) null : 0 1. md5 : 8499 8499 sha1 : 1 1. sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. SOFTWARE: Encryption (encrypted/decrypted) null : 0 1. des : 0 1. 3des : 0 1. aes : 0 1. aes-gcm : 29882 29882 aria : 21688 21688 seed : 153774 153774 chacha20poly1305 : 29521 29521 Integrity (generated/validated) null : 59403 59403 md5 : 0 1. sha1 : 175462 175462 sha256 : 0 1. sha384 : 0 1. sha512 : 0 1. - Two options are used to control if the CP processes packets. If disabled, packets are processed by the CPU.
config system global set ipsec-asic-offload disable set ipsec-hmac-offload disable end
IPsec traffic processed by CPU
IPsec traffic might be processed by the CPU for the following reasons:
- Some low end models do not have NPUs.
- NPU offloading and CP IPsec traffic processing manually disabled.
- Some types of proposals - SEED, ARIA, chacha20poly1305 - are not supported by the NPU or CP.
- NPU flag set to 00 and software encrypt/decrypt counter ticked.
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----
name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0 tun_id=11.101.1.1
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0
stat: rxp=12162 txp=12162 rxb=1691412 txb=1008216
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=4 serial=8
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10602 type=00 soft=0 mtu=1453 expire=42903/0B replaywin=2048
seqno=2d70 esn=0 replaywin_lastseq=00002d70 itn=0
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=e313ac4d esp=chacha20poly1305 key=36 812d1178784c1130d1586606e44e1b9ab157e31a09edbed583be1e9cc82e8c9f2655a2cf
ah=null key=0
enc: spi=706ffe0a esp=chacha20poly1305 key=36 f2727e001e2243549b140f1614ae3df82243adb070e60c33911f461b389b05a7a642e11a
ah=null key=0
dec:pkts/bytes=11631/976356, enc:pkts/bytes=11631/1627692
npu_flag=00 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=7 dec_npuid=0 enc_npuid=0
FGT_900D # diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6_0:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
Encryption (encrypted/decrypted)
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 1664 2047
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 1664 2047
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NPU Host Offloading:
Encryption (encrypted/decrypted)
null : 3 1.
des : 0 1.
3des : 0 1.
aes : 3 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 3 1.
sha1 : 3 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
Encryption (encrypted/decrypted)
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 8865 8865
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 8865 8865
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 531 531
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 41156 41156
Integrity (generated/validated)
null : 71038 71038
md5 : 531 531
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
Disable automatic ASIC offloading
When auto-asic-offload is set to disable in the firewall policy, traffic is not offloaded and the NPU hosting counter is ticked.
# diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6_0:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
Encryption (encrypted/decrypted)
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 110080 2175
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 110080 2175
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NPU Host Offloading:
Encryption (encrypted/decrypted)
null : 3 1.
des : 0 1.
3des : 0 1.
aes : 111090 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 111090 1.
sha1 : 3 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
Encryption (encrypted/decrypted)
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 8865 8865
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 8865 8865
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 539 539
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 41259 41259
Integrity (generated/validated)
null : 71141 71141
md5 : 539 539
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.