Description
This article describes that an encryption/digest combination can be configured by 'set proposal KEYWORD' in a VPN IPsec phase2.When this proposal option is manually configured to one that is not supported by NPU working on the hardware, 'set npu-offload disable' must be manually set in a VPN IPsec phase1, which is used by phase2.
Even though the proposal option is not supported by NPU, FortiOS keeps trying to offload ESP packets going through SAs to NPU. When the proposal of packets is not supported by NPU, it sends them back to the CPU to forward it without NPU offload again, which causes extra-overhead to the CPU.
This article is only applicable to hardware with NPU.
Scope
FortiGate.
Solution
Since npu-offload is enabled by default, 'npu-offload disable' must be configured manually.
The following configuration is an example for a policy-based VPN.
For example IPsec is configured with name 'myPhase1':
config vpn ipsec phase1-interface
edit "myPhase1"
set npu-offload disable
next
end
config vpn ipsec phase2
edit "myPhase2"
set phase1name "myPhase1"
set proposal aes256-sha256
next
end
