This article describes the configuration required to enable the use of npu-vlink interface as part of the IPsec VPN phase1 configuration.
Fortigate with NP6/NP6Lite.
The below configuration uses a npu-vlink interface as the VPN tunnel endpoint on the local FortiGate, with this configuration IPSec traffic is hardware accelerated by the NP6/NP6Lite processor.
This configuration is preferred over the use of a loopback interface as the tunnel endpoint, as loopback traffic is not accelerated by NP6/NP6Lite.
Npu-vlinks can only be configured on devices that are running multiple VDOMs, if it is not possible to enable the use of multiple VDOMs but require hardware-accelerated IPSec traffic on NP6/NP6Lite devices then a physical interface must be used for the tunnel endpoint.
Multiple VDOM mode can be enabled as follows:
config system global
set vdom-mode multi-vdom
end
*** It will be logged out at this point and are required to log back in to continue. ***
config vdom
edit "my_vdom"
config system interface
edit "npu0_vlink0" -> name may differ on the device
set status up
next
edit "my_vlink_interface"
set vdom "my_vdom"
set ip address xxx.xxx.xxx.xxx/32
set interface "npu0_vlink0" -> name may differ on the device
set vlanid xxxx
next
end
config vpn ipsec phase1-interface
edit "my_vpn_tunnel"
set type static|dynamic
set interface "my_vlink_interface"
......
next
end
config vpn ipsec phase2-interface
edit "my_vpn_tunnel"
set phase1name "my_vpn_tunnel"
......
next
end
An inbound firewall rule is required to allow incoming IKE traffic to the new interface. Outbound (locally originated) traffic is automatically allowed.
config firewall policy
edit 0
set srcintf <WAN INTERFACE>
set dstintf "my_vlink_interface"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "IKE"
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.