Description
This article describes the configuration required to enable the use of npu-vlink interface as part of the IPsec VPN phase1 configuration.
Scope
Fortigate with NP6/NP6Lite.
Solution
The below configuration uses a npu-vlink interface as the VPN tunnel endpoint on the local FortiGate, with this configuration IPSec traffic is hardware accelerated by the NP6/NP6Lite processor.
This configuration is preferred over the use of a loopback interface as the tunnel endpoint, as loopback traffic is not accelerated by NP6/NP6Lite.
Npu-vlinks can only be configured on devices that are running multiple VDOMs, if it is not possible to enable the use of multiple VDOMs but require hardware-accelerated IPSec traffic on NP6/NP6Lite devices then a physical interface must be used for the tunnel endpoint.
Multiple VDOM mode can be enabled as follows:
config system global
set vdom-mode multi-vdom
end
*** It will be logged out at this point and are required to log back in to continue. ***
config vdom
edit "my_vdom"
config system interface
edit "npu0_vlink0" -> name may differ on the device
set status up
next
edit "my_vlink_interface"
set vdom "my_vdom"
set ip address xxx.xxx.xxx.xxx/32
set interface "npu0_vlink0" -> name may differ on the device
set vlanid xxxx
next
end
config vpn ipsec phase1-interface
edit "my_vpn_tunnel"
set type static|dynamic
set interface "my_vlink_interface"
......
next
end
config vpn ipsec phase2-interface
edit "my_vpn_tunnel"
set phase1name "my_vpn_tunnel"
......
next
end
An inbound firewall rule is required to allow incoming IKE traffic to the new interface. Outbound (locally originated) traffic is automatically allowed.
config firewall policy
edit 0
set srcintf <WAN INTERFACE>
set dstintf "my_vlink_interface"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "IKE"
next
end
