FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jackie_T
Staff
Staff
Article Id 213688
Description

This article explains the available IPsec VPN modes in FortiOS.

Scope

Any supported version of FortiGate.

Solution

FortiGate IPsec VPN supports 2 modes:

 

- Transport mode.

- Tunnel mode.

 

Tunnel mode is the default mode selected when a VPN is first configured.

 

The FortiOS IPSec VPN uses ESP (Encapsulating Security Payload) protocol only (protocol number 50).

 

FortiOS does not support AH (Authentication Header) protocol (protocol number 51).

 

The diagram below shows the packet header in different modes:

 

Jackie_T_0-1654136734355.png

 

IPsec modes can be configured under the Phase 2 settings in the CLI:

 

IPsec tunnel mode:

 

# config vpn ipsec phase2-interface

    edit <phase2-name>

        Set encapsulation tunnel-mode (default)

    next

end

 

IPsec transport mode:

 

# config vpn ipsec phase2-interface

    edit <phase2-name>

        Set encapsulation transport-mode

    next

end

 

The main difference between tunnel and transport mode is that a new IP header is used in tunnel mode while transport mode uses the original IP packet.

 

Transport mode is used in either of the two following scenarios:

 

- No tunneling is necessary. The peers are the actual senders and recipients of the plaintext & protected data. For example: an IPsec tunnel between FortiGate and FortiAnalyzer in transport-mode.

- Tunneling is already performed by another protocol. For example: GRE over IPsec, IP-in-IP over IPsec, or L2TP over IPsec.

 

Contributors