Chapter 11 IPsec VPN for FortiOS 5.0 : Hardware offloading and acceleration : IPsec offloading configuration examples : Accelerated route-based VPN configuration
  
Accelerated route-based VPN configuration
This example uses the accelerated ports on FortiGate-ASM-FB4 modules in each FortiGate unit. These accelerated ports on the modules are paired interfaces that have their own network processor (NPU) to offload work from the FortiGate unit CPU. Beyond this fact, the example is normal VPN example.
Configuring the FortiGate units require the same basic steps:
Configure VPN Phase 1
Configure VPN Phase 2
Create security policies to allow traffic to flow
Create a static route to allow traffic to flow
When both FortiGates are have the VPN tunnel configured, test to ensure it is working properly.
To configure FortiGate_1
1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1.
2. Configure Phase 1 settings (name FGT_1_IPsec), plus
Select Advanced.
Select Enable IPsec Interface Mode.
In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-ASM-FB4 module on port 2.
3. Select OK.
4. Select Create Phase 2 and configure Phase 2 settings, including
Select Enable replay detection.
set enc-offload-antireplay to enable using the config system npu CLI command.
5. Go to Policy > Policy > Policy.
6. Configure two firewall address policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4 module port 1.
7. Go to Router > Static > Static Routes.
For low-end FortiGate units, go to System > Network > Routing.
8. Configure a static route to route traffic destined for FortiGate_2’s protected network to the virtual IPsec interface, FGT_1_IPsec.
To add the static route from the CLI:
config router static
edit 2
set device "FGT_1_IPsec"
set dst 2.2.2.0 255.255.255.0
end
To configure FortiGate_2
1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1.
2. Configure Phase 1 settings (name FGT_2_IPsec), plus
Select Advanced.
Select Enable IPsec Interface Mode.
In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module on port 2.
3. Select OK.
4. Select Create Phase 2 and configure Phase 2 settings, including
Select Enable replay detection.
set enc-offload-antireplay to enable using the config system npu CLI command.
5. Go to Policy > Policy > Policy.
6. Configure two firewall address policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4 module port 1.
7. Go to Router > Static > Static Routes.
8. Configure a static route to route traffic destined for FortiGate_1’s protected network to the virtual IPsec interface, FGT_2_IPsec.
To add the static route from the CLI:
config router static
edit 2
set device "FGT_2_IPsec"
set dst 1.1.1.0 255.255.255.0
end
To test the VPN
1. Activate the IPsec tunnel by sending traffic between the two protected networks.
2. To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.