Chapter 11 IPsec VPN for FortiOS 5.0 : Hardware offloading and acceleration : Overview : IPsec session offloading requirements
  
IPsec session offloading requirements
Sessions must be fast path ready. Fast path ready session requirements are:
Layer 2 type/length must be 0x0800 (IEEE 802.1q VLAN specification is supported); link aggregation between any network interfaces sharing the same network processor(s) may be used (IEEE 802.3ad specification is supported)
Layer 3 protocol must be IPv4
Layer 4 protocol must be UDP, TCP or ICMP
Layer 3 / Layer 4 header or content modification must not require a session helper (for example, SNAT, DNAT, and TTL reduction are supported, but application layer content modification is not supported)
FortiGate unit security policy must not require antivirus or IPS inspection, although hardware accelerated anomaly checks are acceptable.
The session must not use an aggregated link or require QoS, including rate limits and bandwidth guarantees (NP1 processor only).
Ingress and egress network interfaces are both attached to the same network processor(s)
In Phase I configuration, Local Gateway IP must be specified as an IP address of a network interface attached to a network processor
In Phase II configuration:
encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
(for NP1 processor, only 3DES is supported)
authentication must be MD5, SHA1, or null
(for NP1 processor, only MD5 is supported)
if replay detection is enabled, encryption and decryption options must be enabled in the CLI (see “IPsec encryption offloading”, below)
If the IPsec session meets the above requirements, the FortiGate unit sends the IPsec security association (SA) and configured processing actions to the network processors.