Skip to main content
KumarV
Staff
KumarV
Staff
October 15, 2024

Technical Tip: Unable to add the Phase-2 Selectors in IPSec tunnel

  • October 15, 2024
  • 0 replies
  • 2219 views
Description

This article describes how to add an IPSec phase 2 selector when FortiGate is giving the error: '-56 empty values are not allowed'.
Scope FortiGate.
Solution

This issue arises when no Phase-2 selector is configured in the IPSec tunnel. Adding the Phase-2 selector by selecting the edit button shows the error '-56 empty values are not allowed'.

 

The following Image shows the error:

 

IPSec_KB.JPG

 

The following Image shows the example of a configuration with no Phase-2 selector:


ipsec_kb2.JPG

 

Select 'Convert to Custom Tunnel' and try to add Phase-2 selectors as shown in the image below:

 

ipsec_kb4.JPG

Note:
If the encapsulation is set to transport-mode under phase2 setting, the phase2-selector will be unavailable. Switch to tunnel mode, and phase2-selector will be available to configure.

 

config vpn ipsec phase2-interface
    edit "tunnel_name"
        set encapsulation tunnel-mode
end

Related article:

Technical Tip: To Delete IPSec VPN tunnel Phase2 selector from FortiGate CLI
    Terms & ConditionsAccessibility statement