This article explains the available IPsec VPN modes in FortiOS.

FortiGate.

FortiGate IPsec VPN supports 2 modes:

• Transport mode.
• Tunnel mode.

Tunnel mode is the default mode selected when a VPN is first configured.

The FortiOS IPSec VPN uses ESP (Encapsulating Security Payload) protocol only (protocol number 50).

FortiOS does not support AH (Authentication Header) protocol (protocol number 51).

The diagram below shows the packet header in different modes:

IPsec modes can be configured under the Phase 2 settings in the CLI:

IPsec tunnel mode:

config vpn ipsec phase2-interface

    edit <phase2-name>

        Set encapsulation tunnel-mode (default)

    next

end

IPsec transport mode:

config vpn ipsec phase2-interface

    edit <phase2-name>

        Set encapsulation transport-mode

    next

end

The main difference between tunnel and transport modes is that a new IP header is used in tunnel mode while transport mode uses the original IP packet.

Transport mode is used in either of the two following scenarios:

• No tunneling is necessary. The peers are the actual senders and recipients of the plaintext & protected data. For example: an IPsec tunnel between FortiGate and FortiAnalyzer in transport-mode.
• Tunneling is already performed by another protocol. For example: GRE over IPsec, IP-in-IP over IPsec, or L2TP over IPsec.

Example of setup using transport-mode :

GRE over IPsec:
Technical Note: Configuring and verifying a GRE over IPsec tunnel using 'encapsulation gre'

L2TP over IPsec:

How to configure L2TP over IPSec on a FortiGate