Accelerated policy mode IPsec configuration
The following steps create a hardware accelerated policy mode IPsec tunnel between two FortiGate-5001B units, each containing two NP4 processors, the first of which will be used.
To configure hardware accelerated policy mode IPsec
1. On FortiGate_1, go to VPN > IPsec > Auto Key (IKE).
2. Configure Phase 1.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module port 2.
3. Configure Phase 2.
4. Select Enable replay detection.
5. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable
end
For details on encryption and decryption offloading options available in the CLI, see
“Configuring NP accelerated VPN encryption/decryption offloading”.
6. Go to Policy > Policy > Policy.
7. Configure a policy to apply the Phase 1 IPsec tunnel you configured in step 2 to traffic between FortiGate-5001B ports 1 and 2.
8. Go to Router > Static > Static Route.
9. Configure a static route to route traffic destined for FortiGate_2’s protected network to VPN IP address of FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-5001B port2.
You can also configure the static route using the following CLI command:
config router static
edit 2
set device "AMC-SW1/2"
set dst 2.2.2.0 255.255.255.0
set gateway 3.3.3.2
end
10. On FortiGate_2, go to VPN > IPsec > Auto Key (IKE).
11. Configure Phase 1.
For tunnel mode IPsec and for hardware acceleration, specifying the Local Gateway IP is required.
Select Advanced. In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s port2.
12. Configure Phase 2.
13. Select Enable replay detection.
14. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable
end
For details on encryption and decryption offloading options available in the CLI, see
“Configuring NP accelerated VPN encryption/decryption offloading”.
15. Go to Policy > Policy > Policy.
16. Configure a policy to apply the Phase 1 IPsec tunnel you configured in step 9 to traffic between FortiGate-5001B ports 1 and 2.
17. Go to Router > Static > Static Route.
18. Configure a static route to route traffic destined for FortiGate_1’s protected network to VPN IP address of FortiGate_1’s VPN gateway, 3.3.3.1, through the FortiGate-5001B port2.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device "AMC-SW1/2"
set dst 1.1.1.0 255.255.255.0
set gateway 3.3.3.1
end
19. Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.