Skip to main content
jonson-red
jonson-red
New Member
January 28, 2026
Question

IPsec dial‑up fails only with FortiClient 7.4.3 (SSL‑VPN OK) on FortiGate 7.4.9 — Phase1 up then tun

  • January 28, 2026
  • 5 replies
  • 593 views

Hello, community members. I'm currently testing a migration from SSL VPN to IPsec on FortiGate v7.4.9.
Client: FortiClient
FortiClient 7.0.9: IPsec connects successfully (no issues)
FortiClient 7.4.3: IPsec fails - appears to connect for a moment but then immediately disconnects
The FortiGate CLI (diagnose debug application ike -1) reveals the following:
IKEv2 authentication succeeded
Phase 1 (IKE_SA) is established
The client appears to receive an IP address (mode-cfg), but the tunnel immediately goes down
SSL VPN from the same client to the same FortiGate works fine. Has anyone experienced this issue with FortiClient 7.4.3 and FortiGate 7.4.9?
Are there any known interoperability changes (EAP settings, Phase 2 proposal/TS selector behavior, DPD/NAT-T, IPsec-over-TCP specifics, etc.) that could cause Phase 1 to be fine, but Phase 2 to immediately drop? If you have any suggestions or ideas, please let me know. Thanks!

5 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
January 31, 2026

Hello jonson-red, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
tbarua
Staff
tbarua
Staff
January 31, 2026

Hi Jonson-red,

Have you encountered any specific error in the debug logs which verifies the issue with phase 2? If possible, can you test with FCT v7.4.4? 

jonson-red
jonson-redAuthor
New Member
February 5, 2026

Hi Tuli,

At this moment, we haven’t been able to identify any specific errors in the debug logs that clearly indicate an issue with Phase 2. We will recheck the IKE debug logs again to see if we can find any relevant information.

Regarding your suggestion, we are currently using only the free version, so unfortunately we are not able to test with FCT v7.4.4.

We will update you if we find anything new from the logs.

Best regards,
Jonson-red

tomaszs
tomaszs
New Member
February 1, 2026

Either you upgrade to the paid version of the client, or you manually edit the .xml file and enter EAP.
In version 7.4.4 the same issue occurs — I reported it to support and this was their recommendation. It works.

jonson-red
jonson-redAuthor
New Member
February 5, 2026

Hi tomaszs,
At this time, we are using only the free version of the client, so upgrading to the paid version would be difficult for us.

Regarding the option to manually edit the XML file, could you please clarify exactly which section or parameters need to be modified to configure EAP?

Any additional details or examples would be appreciated.
Best regards,
Jonson-red

vpolovnikov
Staff & Editor
vpolovnikov
Staff & Editor
February 5, 2026

Hello jonson-red,

 

I think tomaszs refers to EAP configuration described in this article: How to enable EAP-TTLS for IPSec IKEv2 tu... - Fortinet Community

Let me know if it helps.

tomaszs
tomaszs
New Member
February 5, 2026

attach .xml I'll look at the settings - delete passwords and public addresses

tomaszs
tomaszs
New Member
February 8, 2026

It must be like this in the configuration.

<ike_settings>
                        <version>2</version>
                       <eap_method>2</eap_method>
    Terms & ConditionsAccessibility statement