Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KumarV
Staff
Staff

Created on ‎10-14-2024 10:22 PM Edited on ‎09-16-2025 10:44 PM By Community Manager

Article Id 349304

Technical Tip: Unable to add the Phase-2 Selectors in IPSec tunnel

Description

This article describes how to add an IPSec phase 2 selector when FortiGate is giving the error: '-56 empty values are not allowed'.
Scope FortiGate.
Solution

This issue arises when no Phase-2 selector is configured in the IPSec tunnel. Adding the Phase-2 selector by selecting the edit button shows the error '-56 empty values are not allowed'.

 

The following Image shows the error:

 

IPSec_KB.JPG

 

The following Image shows the example of a configuration with no Phase-2 selector:


ipsec_kb2.JPG

 

Select 'Convert to Custom Tunnel' and try to add Phase-2 selectors as shown in the image below:

 

ipsec_kb4.JPG

Note:
If the encapsulation is set to transport-mode under phase2 setting, the phase2-selector will be unavailable. Switch to tunnel mode, and phase2-selector will be available to configure.

 

config vpn ipsec phase2-interface
    edit "tunnel_name"
        set encapsulation tunnel-mode
end

Related article:

Technical Tip: To Delete IPSec VPN tunnel Phase2 selector from FortiGate CLI
1314
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.