FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff
Article Id 362892
Description This article describes the behavior of IPsec tunnels in transport mode.
Scope FortiGate.
Solution

The IPsec tunnel default configuration will ask the local and remote subnets to allow over the tunnel.

Without mentioning these addresses or objects it will not allow to configure it.

In some scenarios  0.0.0.0/0 can be used as open selectors:

 

Screenshot 2024-12-06 144541.png

 

While changing the mode from default encapsulation (tunnel mode) to Transport mode the selectors are deleted :

 

sh ful
config vpn ipsec phase2-interface
    edit "Test"
        set phase1name "Test"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set pfs enable
        set ipv4-df disable
        set dhgrp 14 5
        set replay enable
        set keepalive disable
        set auto-negotiate disable
        set inbound-dscp-copy phase1
        set auto-discovery-sender phase1
        set auto-discovery-forwarder phase1
        set keylife-type seconds
        set encapsulation tunnel-mode
        set comments "VPN: Test (Created by VPN wizard)"
        set diffserv disable
        set protocol 0
        set src-addr-type name
        set src-port 0
        set dst-addr-type name
        set dst-port 0
        set keylifeseconds 43200
        set src-name "Test_local"
        set dst-name "Test_remote"
    next
end

    set encapsulation transport-mode

end

 

After changing the mode :

 

Screenshot 2024-12-06 144918.png

 

The reason why phase2 selectors have been removed after changing the encapsulation mode to transport is in this mode the encapsulation is done for the endpoint IP addresses only.

 

In case two VPN endpoints need to communicate then only traffic between those two endpoint addresses will be encapsulated unlike in Tunnel mode local and remote subnet traffic behind endpoints will be encapsulated.

 

To revert the IPsec tunnel to default encapsulation mode, it is required to define src-name and dst-name addresses in CLI.

In some IOS versions if it is not specified for src-name and dst-name in phase2  it would by default change the selectors to 0.0.0.0/0.

 

(Test) # set encapsulation tunnel-mode

(Test) # end

 

After changing the mode, phase-2 selectors are visible again. Since src-name and dst-name are not specified it took default selectors:

 

Screenshot 2024-12-06 150248.png

 

Important Highlights:

Use the Transport mode only when two VPN endpoint traffic needs to be protected like connecting FortiAnalyzer to the FortiGate interface. FortiGate does not use AH protocol due to security flaws.

 

Related articles

Technical Tip: IPsec enscapsulation modes 

Troubleshooting Tip: IPsec VPNs tunnels