New Member

Question

FortiClient Remote Access IPsec-over-TCP not working

Forum|Forum|1 year ago
March 21, 2025
23 replies
43238 views

Hi, I am running FortiOS 7.4.7 on a FortiGate-60F and am trying to migrate from SSLVPN to IPsec VPN.

I've managed to configure IPsec (IKEv2) dial-up to work fine, but I notice that when I set the mode to IPSec over TCP, FortiClient (v7.4.3) does not connect and times out. UDP mode works perfectly fine.

I also notice that TCP 4500 is not one of the local-in policies on the firewall.

Does a local-in policy need to be configured for this to work? Has anyone had any experience with this?

Thank you!

rtanagras

Staff & Editor

as far as i know, you don’t need to configure a local-in policy for it to work, unless there are existing restrictions configured on your fortigate that block certain services from entering the wan interface.

AEK

SuperUser

Hi Ryan

Did you check this tech tip?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-TCP-as-transport-for-IKE-IPsec-traffic/ta-p/300834

AEK

ryanswjAuthor

New Member

Hi there, yep, I've read through this tech tip, and have played with the following settings

set transport tcp set fortinet-esp enable

Set or unset, it makes no difference, unfortunately.

maulishshah

Staff

Hi Ryan,

Follow the shared article, and if the configuration is okay and still unable to connect the FortiClient.

Please run the following logs

di de application ike -1

di de console timestamp en

di de en

Now, initiate the connection from FortiClient and verify what could be error

Here is the troubleshooting tip for IPSEC VPN:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPN-tunnels/ta-p/195955

ryanswjAuthor

New Member

Hi Maulish,

Thanks for your reply. I enabled the debugging messages but didn't even see the FC attempting to hit the box.

FortiClient says that the connection timed out. There's working Internet connection on the box.

maulishshah

Staff

Hi Ryan, Can you please run wireshark capture on windows machine that you installed FortiClient and run the following command on the FortiGate to verify the communication?

di sniff packet any ' host x.x.x.x ' 6 0 l

X is the public IP that you are trying to connect from.

ryanswjAuthor

New Member

Here's the config of the phase1-interface:

config vpn ipsec phase1-interface     edit "ra-HCVPN"         set type dynamic         set interface "wan1"         set ike-version 2         set peertype any         set net-device disable         set mode-cfg enable         set ipv4-dns-server1 X.X.1.11         set ipv4-dns-server2 X.X.1.16         set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256         set comments "VPN: ra-HCVPN (Created by VPN wizard)"         set eap enable         set eap-identity send-request         set transport udp-fallback-tcp         set fortinet-esp enable         set ipv4-start-ip X.Y.0.1         set ipv4-end-ip X.Y.0.10         set save-password enable         set psksecret ENC XXX

rtanagras

Staff & Editor

based on the config (set transport udp-fallback-tcp) udp is the preferred and then fallback is tcp.

change to

config vpn ipsec phase1-interface
edit "ra-HCVPN"
set transport tcp
end

to verify:

diag vpn ike gateway list
look for 'transport: TCP' -> this confirm that you're using TCP

ryanswjAuthor

New Member

Hi Ricky, actually udp-fallback-tcp is the expected behavior. Problem is that the tcp part never works - it just fails to connect. UDP works flawlessly. SSLVPN also works flawless on this box.

maulishshah

Staff

Have you read this document to verify a few more settings: https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/567401/dialup-ipsec-vpn-using-custom-tcp-port

Toshi_Esumi

SuperUser

What's in IKE debug? diag debug app ike -1

Toshi

fn-hmx

New Member

deleted

AEK

SuperUser

Hi Ryan

I see from your output that your client is resetting the connection.

localip to vpnserver: 54895 -> 4500 [SYN]
vpnserver to localip: 4500 -> 54895 [SYN, ACK]
localip to vpnserver: 54895 -> 4500 [ACK]
localip to vpnserver: 54895 -> 4500 [RST, ACK]

And you said "Using FCT on iOS, I can get log entries to appear, so I'm not sure what the issue is anymore".

I think it is a good idea to try other versions. Can you try 7.4.2 and 7.4.1?

AEK

rtanagras

Staff & Editor

not sure, but it looks like forticlient is rejecting it at this point. let's check the behavior when fortinet-esp is disabled in his testing. it also seems like he's using macOS for testing—if it's the latest version, it's on ARM, so only forticlient 7.4.3 will work. by default, it uses port 4500, which looks correct in his packet capture.

ryanswjAuthor

New Member

Hi Ricky, it's actually FCT 7.4.2 and 7.4.3 on Windows x64!

I've tried this on:

Azure VM running Win10 22H2 x64
Laptop running Win11 23H2 x64

mbqc

New Member

Did you manage to get this working? We are facing the exact same issue with a 90G.

FC 7.4.3.1790, FortiOS 7.4.7

ryanswjAuthor

New Member

No, I have not. I think it may be a bug in 7.4.7, so am waiting for the next version to be released. Let me know if you make any headway.

MZBZ

Staff

1. FreeVPN FortiClient does not support IKEv2 over TCP. It works with the EMS connected version!

2. Both FortiOS and FortiClient will get a major enhancement in the next release (FortiOS 7.4.8 and FortiClient 7.4.4) that will address your issues...

ryanswjAuthor

New Member

Oh... that would explain everything! Do you know ETA of FOS 7.4.8 or FC 7.4.4 and whether both are required to make this work or just the FC upgrade will do?

MZBZ

Staff

The issue on FortiOS side is different in nature from the FortiClient side. Troubleshooting this problem is hard as you do not know which side is causing the unexpected behavior. You may confirm the fix from Release Notes when published.

ryanswjAuthor

New Member

I wanted to give an update on this.

I updated to 7.4.8 on 60F and it seems to work now. I can see

transport: TCP

in diag vpn ike gateway list.

To anyone who is facing this issue, maybe upgrade to FortiOS 7.4.8 and try again?

VictorT

New Member

Hi @ryanswj Can you share your full config? phase1 and phase2. I have already upgraded to 7.4.8 and still facing the issue.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded