Accelerated interface mode IPsec configuration
The following steps create a hardware accelerated interface mode IPsec tunnel between two FortiGate units, each containing a FortiGate-ASM-FB4 module.
To configure hardware accelerated interface mode IPsec
1. On FortiGate_1, go to VPN > IPsec > Auto Key (IKE).
2. Configure Phase 1.
For interface mode IPsec and for hardware acceleration, the following settings are required.
• Select Advanced.
• Enable the checkbox “Enable IPsec Interface Mode.”
• In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.2, which is the IP address of FortiGate_2’s port 2.
3. Configure Phase 2.
4. Select Enable replay detection.
5. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable
end
For details on encryption and decryption offloading options available in the CLI, see
“Configuring NP accelerated VPN encryption/decryption offloading”.
6. Go to Policy > Policy > Policy.
7. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4 module port 1.
8. Go to Router > Static > Static Route.
9. Configure a static route to route traffic destined for FortiGate_2’s protected network to the Phase 1 IPsec device, FGT_1_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device "FGT_1_IPsec"
set dst 2.2.2.0 255.255.255.0
end
10. On FortiGate_2, go to VPN > IPsec > Auto Key (IKE).
11. Configure Phase 1.
For interface mode IPsec and for hardware acceleration, the following settings are required.
• Enable the checkbox “Enable IPsec Interface Mode.”
• In the Local Gateway IP section, select Specify and type the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-5001B port 2.
12. Configure Phase 2.
13. Select Enable replay detection.
14. Use the following command to enable offloading antireplay packets:
config system npu
set enc-offload-antireplay enable
end
For details on encryption and decryption offloading options available in the CLI, see
“Configuring NP accelerated VPN encryption/decryption offloading”.
15. Go to Policy > Policy > Policy.
16. Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration you configured in step 9 to traffic leaving from or arriving on FortiGate-5001B port 1.
17. Go to Router > Static > Static Route.
18. Configure a static route to route traffic destined for FortiGate_1’s protected network to the Phase 1 IPsec device, FGT_2_IPsec.
You can also configure the static route using the following CLI commands:
config router static
edit 2
set device "FGT_2_IPsec"
set dst 1.1.1.0 255.255.255.0
next
end
19. Activate the IPsec tunnel by sending traffic between the two protected networks.
To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.