Description | This article describes the behavior of IPsec tunnels in transport mode. |
Scope | FortiGate. |
Solution |
The IPsec tunnel default configuration will ask the local and remote subnets to allow over the tunnel. Without mentioning these addresses or objects it will not allow to configure it. In some scenarios 0.0.0.0/0 can be used as open selectors:
While changing the mode from default encapsulation (tunnel mode) to Transport mode the selectors are deleted :
sh ful set encapsulation transport-mode end
After changing the mode :
The reason why phase2 selectors have been removed after changing the encapsulation mode to transport is in this mode the encapsulation is done for the endpoint IP addresses only.
In case two VPN endpoints need to communicate then only traffic between those two endpoint addresses will be encapsulated unlike in Tunnel mode local and remote subnet traffic behind endpoints will be encapsulated.
To revert the IPsec tunnel to default encapsulation mode, it is required to define src-name and dst-name addresses in CLI. In some IOS versions if it is not specified for src-name and dst-name in phase2 it would by default change the selectors to 0.0.0.0/0.
(Test) # set encapsulation tunnel-mode (Test) # end
After changing the mode, phase-2 selectors are visible again. Since src-name and dst-name are not specified it took default selectors:
Important Highlights: Use the Transport mode only when two VPN endpoint traffic needs to be protected like connecting FortiAnalyzer to the FortiGate interface. FortiGate does not use AH protocol due to security flaws.
Related articles: Technical Tip: IPsec enscapsulation modes Troubleshooting Tip: IPsec VPNs tunnels |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.