Chapter 8 Hardware Acceleration : NP4 Acceleration : NP4 IPsec VPN offloading configuration example : Accelerated interface mode IPsec configuration
  
Accelerated interface mode IPsec configuration
The following steps create a hardware accelerated interface mode IPsec tunnel between two FortiGate units, each containing a FortiGate-ASM-FB4 module.
To configure hardware accelerated interface mode IPsec
1. On FortiGate_1, go to VPN > IPsec > Auto Key (IKE).
2. Configure Phase 1.
For interface mode IPsec and for hardware acceleration, the following settings are required.
Select Advanced.
Enable the checkbox “Enable IPsec Interface Mode.”
In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.2, which is the IP address of FortiGate_2’s port 2.
3. Configure Phase 2.
4. Select Enable replay detection.
5. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable
end
For details on encryption and decryption offloading options available in the CLI, see “Configuring NP accelerated VPN encryption/decryption offloading”.
6. Go to Policy > Policy > Policy.
7. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4 module port 1.
8. Go to Router > Static > Static Route.
9. Configure a static route to route traffic destined for FortiGate_2’s protected network to the Phase 1 IPsec device, FGT_1_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device "FGT_1_IPsec"
set dst 2.2.2.0 255.255.255.0
end
10. On FortiGate_2, go to VPN > IPsec > Auto Key (IKE).
11. Configure Phase 1.
For interface mode IPsec and for hardware acceleration, the following settings are required.
Enable the checkbox “Enable IPsec Interface Mode.”
In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-5001B port 2.
12. Configure Phase 2.
13. Select Enable replay detection.
14. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable
end
For details on encryption and decryption offloading options available in the CLI, see “Configuring NP accelerated VPN encryption/decryption offloading”.
15. Go to Policy > Policy > Policy.
16. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 9 to traffic leaving from or arriving on FortiGate-5001B port 1.
17. Go to Router > Static > Static Route.
18. Configure a static route to route traffic destined for FortiGate_1’s protected network to the Phase 1 IPsec device, FGT_2_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device "FGT_2_IPsec"
set dst 1.1.1.0 255.255.255.0
next
end
19. Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.