Description |
This article explains the available IPsec VPN modes in FortiOS. |
Scope |
Any supported version of FortiGate. |
Solution |
FortiGate IPsec VPN supports 2 modes:
- Transport mode. - Tunnel mode.
Tunnel mode is the default mode selected when a VPN is first configured.
The FortiOS IPSec VPN uses ESP (Encapsulating Security Payload) protocol only (protocol number 50).
FortiOS does not support AH (Authentication Header) protocol (protocol number 51).
The diagram below shows the packet header in different modes:
IPsec modes can be configured under the Phase 2 settings in the CLI:
IPsec tunnel mode:
# config vpn ipsec phase2-interface edit <phase2-name> Set encapsulation tunnel-mode (default) next end
IPsec transport mode:
# config vpn ipsec phase2-interface edit <phase2-name> Set encapsulation transport-mode next end
The main difference between tunnel and transport mode is that a new IP header is used in tunnel mode while transport mode uses the original IP packet.
Transport mode is used in either of the two following scenarios:
- No tunneling is necessary. The peers are the actual senders and recipients of the plaintext & protected data. For example: an IPsec tunnel between FortiGate and FortiAnalyzer in transport-mode. - Tunneling is already performed by another protocol. For example: GRE over IPsec, IP-in-IP over IPsec, or L2TP over IPsec. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.