Chapter 8 Hardware Acceleration : NP4 Acceleration : NP4 IPsec VPN offloading
  
NP4 IPsec VPN offloading
NP4 processors improve IPsec tunnel performance by offloading IPsec encryption and decryption.
Requirements for hardware accelerated IPsec encryption or decryption are a modification of general offloading requirements. Differing characteristics are:
Origin can be local host (the FortiGate unit)
In Phase 1 configuration, Local Gateway IP must be specified as an IP address of a network interface for a port attached to a network processor
SA must have been received by the network processor
in Phase 2 configuration:
encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
authentication must be MD5, SHA1, or null
if encryption is null, authentication must not also be null
if replay detection is enabled, enc-offload-antireplay must also be enable in the CLI
 
If replay detection is enabled in the Phase 2 configuration, you can enable or disable IPsec encryption and decryption offloading from the CLI. Performance varies by those CLI options and the percentage of packets requiring encryption or decryption. For details, see “Configuring NP accelerated VPN encryption/decryption offloading”.
To apply hardware accelerated encryption and decryption, the FortiGate unit’s main processing resources must first perform Phase 1 negotiations to establish the security association (SA). The SA includes cryptographic processing instructions required by the network processor, such as which encryption algorithms must be applied to the tunnel. After ISAKMP negotiations, the FortiGate unit’s main processing resources send the SA to the network processor, enabling the network processor to apply the negotiated hardware accelerated encryption or decryption to tunnel traffic.
Possible accelerated cryptographic paths are:
IPsec decryption offload
Ingress ESP packet > Offloaded decryption > Decrypted packet egress (fast path)
Ingress ESP packet > Offloaded decryption > Decrypted packet to FortiGate unit’s main processing resources
IPsec encryption offload
Ingress packet > Offloaded encryption > Encrypted (ESP) packet egress (fast path)
Packet from FortiGate unit’s main processing resources > Offloaded encryption > Encrypted (ESP) packet egress