Re: ipsec tunnel settings for best performance
Please drop MD5 from your list of hash algos. Use SHA1 or better still, SHA256. MD5 has been compromised before.
Again, I'm not sure that the higher SHA algos are hw accelerated (though they are supported in FortiOS).
Seems they are, up to SHA512 (cf. KB article).
aria, seed, aesXXXgcm all cannot be offloaded. CPU will have to do that which forfeits one major advantage of a Fortigate.
You'll notice that some algos are not offloaded in phase1 but are in phase2. No idea why.
In addition to the "Encryption" chapter, have a look at the preceding chapter "ASIC offloading" in the Cookbook.
And in encryption, do not use DES or 3DES.
And all of your other assumptions are correct.
Ede " Kernel panic: Aiee, killing interrupt handler!"