Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff & Editor
Staff & Editor

Created on ‎07-15-2025 02:28 AM Edited on ‎10-06-2025 11:14 AM By Moderator

Article Id 400716

Technical Tip: Dial-up IPsec VPN connection fails when a non-default IKE TCP port is configured on FortiGate

Description This article describes an issue where dial-up users using TCP encapsulation fail to connect to the IPsec VPN, or administrators are unable to login to FortiGate web GUI.
This issue is a port conflict that arises only when admin-sport is configured with custom port 11443, and a non-default IKE TCP port is used.
Scope FortiGate v7.4.8+, 7.6.1+.
Solution

When a non-default IKE TCP port is configured (i.e., any port other than the default port 4500), and admin-sport is set to 11443, dial-up users may be unable to connect to the IPsec VPN using TCP encapsulation. See FortiClient 7.4.0 New Features Guide | IPsec VPN over TCP on Windows, macOS, and Linux for more information on TCP encapsulation.

Example configuration:


config system settings
    set ike-tcp-port 7443
end

config system global
    set admin-sport 11443
end

 

config vpn ipsec phase1-interface
    edit "dial-up"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set keylife 3600
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dpd on-demand
        set dhgrp 20 14 5
        set eap enable
        set eap-identity send-request
        set authusrgrp "dial-up vpn users"
        set transport tcp
        set ipv4-start-ip 192.168.12.1
        set ipv4-end-ip 192.168.12.99
        set ipv4-netmask 255.255.255.0
        set ipv4-split-include "plan"
        set save-password enable
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "dial-up"
        set phase1name "dial-up"
        set proposal aes256-sha256
        set dhgrp 20 14 5
        set keylifeseconds 3600
     next
end

No output is seen in the ike debugs when attempting to connect to the IPSec VPN using FortiClient, or in the tcpsock output for the IKE daemon.

diagnose debug application ike -1
diagnose debug enable
diagnose sys tcpsock | grep ike

When a FortiGate configured with a non-default IKE TCP port is rebooted, GUI access may be lost. However, VPN TCP connectivity may be successful.

Cause:

Starting from v7.4.8 and v7.6.1, ike creates a TCP socket on port 11443 when a non-default IKE TCP port is configured. When traffic arrives on the non-default IKE TCP port on an IPsec-enabled interface, it will be redirected internally to 11443.

 

FGT# diagnose sys tcpsock | grep ike
0.0.0.0:11443->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=123712 process=221/iked
0.0.0.0:4500->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=123710 process=221/iked

If both the IKE daemon and administrative web GUI are using this port, a conflict occurs. The service that binds to the port first will operate normally, while the other will be unable to use the port.

 

Resolution:
To avoid this conflict, configure admin-sport to use a port other than 11443 if a non-default IKE TCP port is configured.
490
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.