IPSec hardware fast forwarding is enabled by default.
After IPSec hardware fast forwarding is enabled, the device migrates IPSec packet encryption and decryption from the CPU to the NP, improving the processing speed.
IPSec hardware fast forwarding takes effect only when the following conditions are met:
- Global hardware fast forwarding is enabled (hardware fast-forwarding enable).
- The IPSec tunnel is not encapsulated in transport mode.
- The IPSec tunnel is not configured in manual mode.
- Policy-based rate limit is disabled for the SA.
- IPSec over GRE is not used.
- IPv6 IPSec is not used.
- SA encryption and decryption algorithms require the support of hardware engines. Algorithms such as AES-GCM, AES-GMAC and SM4 are not supported.
- In IPSec NAT traversal scenarios, the port number for NAT traversal must be 500 or 4500. If the port number is changed from 500 or 4500 to another port number, IPSec hardware fast forwarding is not performed, and the IPSec performance deteriorates.
Only the USG6510E/6510E-POE, USG6530E, USG6515E/6550E/6560E/6580E, and USG6525E/6555E/6565E/6575E-B/6585E/6605E-B support this command.