SuperUser

Question

Dialup IPsec over TCP with FortiClient VPN - a gotcha

Forum|Forum|4 months ago
January 12, 2026
4 replies
1238 views

There were multiple conversations at this community about this subject on both sides: "should work" and " not supported".
I just found the culprit when my new phase1-interface configuration of this dialup IKEv2 over TCP on FG60F 7.4.9 didn't work with FortiClient VPN 7.4.3, which were properly configured to use transport - TCP 4500 both sides. It was NPU offloading at the VPN policy.

In multiple documentations for the IPsec over TCP, it was mentioned NPU offloading and ADVPN are NOT supported. So, I tried disabling the NPU offloading at the polcy with:
set auto-asic-offload disable

Before this change, nothing showed up in IKE debugging although connection request packets were hitting at at the wan1 interface at TCP 4500. Then, as soon as I made the change, the request came through and showed up in the IKE debugging and got connected.

[below x.x.x.x is FG60F IP]
ike V=root:accepts ike tcp-transport(vd=0, vrf=0, intf=0:5, x.x.x.x:4500->y.y.y.y:10670 sock=33 refcnt=2 ph1=(nil)) (1).
ike V=root:0: comes y.y.y.y:10670->x.x.x.x:4500,ifindex=5,vrf=0,len=337....
ike V=root:0: IKEv2 exchange=SA_INIT id=fbec19b1395c657e/0000000000000000 len=337
--<snip>---
ike V=root:0:dupipsec_0:238140:dupipsec:9385: sending SNMP tunnel UP trap

I don't think this condition was written anywhere, or at least it's hard to be found if it's at somewhere.

Toshi

Toshi_EsumiAuthor

SuperUser

Of course you need to expect some impact to both vpn performance and CPU usage though because NPU offloading is disabled.

Toshi

BillH_FTNT

Staff

Hi @Toshi_Esumi

1. IPsec packets are also offloaded to the NPU. When packets are offloaded, fewer packets appear in debug or sniffer outputs. When we disable offloading, all packets are processed by the kernel, and debugging/sniffer tools will display full information

2. For the issue "I just found the culprit when my new phase1-interface configuration of this dialup IKEv2 over TCP on FG60F 7.4.9 didn't work with FortiClient VPN 7.4.3" ==> I will cross check this in my lab then share the result with you. Thanks

Bill

Toshi_EsumiAuthor

SuperUser

By the way, this method still doesn't work for MacOS version of FortiClient VPN. Because Mac version doesn't have the same setting menu for IPsec over TCP unlike the Windows version. It would be accomplished if we can modify the saved XML config file. But it's not possible because password encryption is mandated when you save the config. Now you can not modify the config file with a text editor.
That's why you hear often "have to have the EMS version" of FortiClient where you can modify the config.

Toshi

funkylicious

SuperUser

hi @Toshi_Esumi ,

on my Mac running FCT 7.4.1 i can save the config w/o a password so the backup is in clear text.

as far as i know, a password encrypted backup is required only for Windows.

"jack of all trades, master of none"

Toshi_EsumiAuthor

SuperUser

Does MacOS version FCT VPN 7.4.1 support IPsec over TCP? I thought the support was started with 7.4.3.

Toshi

GauravPandya

Explorer

We have tested the same scenario last week successfully.

FGT - 7.4.9

FortiClient - 7.4.3

Dialup IPSEC VPN

Authentication - SAML

set auto-asic-offload setting is enabled and it is working as expected

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded