Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rahul_p1
Staff
Staff

Created on ‎07-28-2025 03:11 AM Edited on ‎07-28-2025 04:19 AM By Moderator

Article Id 403584

Technical Tip: How to configure IPsec over TCP

Description This article describes how to connect IPsec over TCP.
Scope FortiGate, FortiClient.
Solution

IPsec configuration via CLI:

 

config vpn ipsec phase1-interface

    edit "vpn01"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256

        set comments "VPN: vpn01 (Created by VPN wizard)"

        set dhgrp 5

        set eap enable  <----------------

        set eap-identity send-request  <---------

        set authusrgrp "Guest-group"

        set transport tcp  <----------

        set ipv4-start-ip 172.16.10.10

        set ipv4-end-ip 172.16.10.30

        set dns-mode auto

        set save-password enable

next

end

 

Configure TCP port on FortiGate through which IPsec VPN will communicate:

 

config system settings

    set ike-tcp-port 5500  <---- Custom TCP port.

end

 

Note: The custom IKE port can only be configured from the CLI and not from the GUI. 

 

Configure the IKE TCP port on FortiClient (supported on v7.4.1 or above) to 5500. IKE TCP port can be changed only in IKE version 2.

 

rahul_p1_0-1753442552905.png

 

 

rahul_p1_1-1753442552907.png

 

Sniffer of IPsec traffic when connecting over TCP port 5500:

 

2025-07-25 04:00:16.883637 port1 in 10.5.255.254.56325 -> 10.5.209.203.5500: syn 2908489094

2025-07-25 04:00:16.883754 port1 out 10.5.209.203.5500 -> 10.5.255.254.56325: syn 2697888134 ack 2908489095

2025-07-25 04:00:16.884102 port1 in 10.5.255.254.56325 -> 10.5.209.203.5500: ack 2697888135

2025-07-25 04:00:16.885216 port1 in 10.5.255.254.56325 -> 10.5.209.203.5500: psh 2908489095 ack 2697888135

2025-07-25 04:00:16.885224 port1 out 10.5.209.203.5500 -> 10.5.255.254.56325: ack 2908489101

2025-07-25 04:00:16.930118 port1 in 10.5.255.254.56325 -> 10.5.209.203.5500: psh 2908489101 ack 2697888135

2025-07-25 04:00:16.930155 port1 out 10.5.209.203.5500 -> 10.5.255.254.56325: ack 2908489572

2025-07-25 04:00:16.970492 port1 out 10.5.209.203.5500 -> 10.5.255.254.56325: psh 2697888135 ack 2908489572

2025-07-25 04:00:16.980067 port1 in 10.5.255.254.56325 -> 10.5.209.203.5500: psh 2908489572 ack 2697888493

2025-07-25 04:00:16.980097 port1 out 10.5.209.203.5500 -> 10.5.255.254.56325: ack 2908490106

2025-07-25 04:00:17.002804 port1 out 10.5.209.203.5500 -> 10.5.255.254.56325: psh 2697888493 ack 2908490106

2025-07-25 04:00:17.003641 port1 in 10.5.255.254.56325 -> 10.5.209.203.5500: psh 2908490106 ack 2697888627

2025-07-25 04:00:17.014050 port1 out 10.5.209.203.5500 -> 10.5.255.254.56325: psh 2697888627 ack 2908490192

 

Debug of IPsec VPN after connecting:

 

ike V=root:accepts tcp-transport(vd=0, vrf=0, intf=0:3, 10.5.209.203:5500->10.5.255.254:58304 sock=33 refcnt=2 ph1=(nil)) (1).

ike V=root:puts tcp-transport(vd=0, vrf=0, intf=0:3, 10.5.209.203:5500->10.5.255.254:58304 sock=33 refcnt=1 ph1=(nil)) refcnt=1

ike V=root:verify tcp-700: num=6, off=0, len=6, buf=0xe611948

ike V=root:verify tcp-711: num=6, off=6, len=6

ike V=root:0: comes 10.5.255.254:58304->10.5.209.203:5500,ifindex=3,vrf=0,len=465....

ike V=root:0: IKEv2 exchange=SA_INIT id=adbd335681a35fe9/0000000000000000 len=465

ike 0: in ADBD335681A35FE900000000000000002

120220800000000000001D12200005C0200002C0101

00040300000C0100000C800E00800300000802000005

030000080300000C00000008040000050000002C0201

00040300000C0100000C800E01000300000802000005

030000080300000C0000000804000005280000C80005

00008A3B3D307A2DB3AA430E31B1ACF2D8FE63FDCDAD

E0E975F29C00A5121095FC8A46ABA6B92321EFECDCA9

C4DE0ED639BA819F75507891581C9A0F0184553B36CF

92A0DE6585DE90F1129D59DB2D79B2E28A66193694F2

CDEA1EBFAE5720385779C3F8B52DDA641B02ED71C6F3

8606CD30452EFFAA6B26CCC993D1EC4721F80746079C

7974E075D58804A303F6CFDE169422A2FC55D1482910

05BF20A463C9488219858AD0534691FA4CC4DBB42D48

097D88A7C5007F07B63FB0C94B0D031AEF212B000014

DDD426BEECA7F9675799A2714E66759E2B0000144C53

427B6D465D1B337BB755A37A7FEF2B000014B4F01CA9

51E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B

98A429B91781914CA43E2900001C000040046B6C69DE

4052B42AF7D513C3B43D5C01E2950FF82900001C0000

4005D3C6A32B28318239AA66C447B8C21A3C6793A6EE

000000090000F05000

ike V=root:0:adbd335681a35fe9/0000000000000000:83:sa bind new tcp-transport(vd=0, vrf=0, intf=0:3, 10.5.209.203:5500->10.5.255.254:58304 sock=33 refcnt=1 ph1=(nil))

ike V=root:puts tcp-transport(vd=0, vrf=0, intf=0:3, 10.5.209.203:5500->10.5.255.254:58304 sock=33 refcnt=1 ph1=0xe60df60) refcnt=1

ike V=root:0:adbd335681a35fe9/0000000000000000:83: responder received SA_INIT msg

ike V=root:0:adbd335681a35fe9/0000000000000000:83: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF

ike V=root:0:adbd335681a35fe9/0000000000000000:83: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E

ike V=root:0:adbd335681a35fe9/0000000000000000:83: VID unknown (16): C1DC4350476B98A429B91781914CA43E

ike V=root:0:adbd335681a35fe9/0000000000000000:83: received notify type NAT_DETECTION_SOURCE_IP

ike V=root:0:adbd335681a35fe9/0000000000000000:83: received notify type NAT_DETECTION_DESTINATION_IP

ike V=root:0:adbd335681a35fe9/0000000000000000:83: received notify type VPN_NETWORK_ID

ike V=root:0:vpn01:83: received FCT-UID : DF4B4CC5333149F680B887B242009CD0

ike V=root:0:vpn01:83: peer identifier IPV4_ADDR 10.5.145.190

ike V=root:0:vpn01:83: re-validate gw ID

ike V=root:0:vpn01:83: gw validation OK

ike V=root:0:vpn01:83: responder preparing EAP identity request

ike 0:vpn01:83: enc 2700000C010000000A05D1CB30000028020000009EADA

50AB9F6D9869EF09FBF2A0B8092DE0BFAE97381CF3FFA2D4FA0BD45AE8D000000090115000501020102

ike V=root:0:vpn01:83: local port change 0 -> 5500  <----- Port is changing to tcp port 5500.

ike V=root:0: comes 10.5.255.254:58304->10.5.209.203:5500,ifindex=3,vrf=0,len=80....

ike V=root:0: IKEv2 exchange=AUTH id=adbd335681a35fe9/1e39f12ec39c687d:00000002 len=80

ike 0: in ADBD335681A35FE91E39F12EC39C687D2E20

2308000000020000005030000034A13415E20B60F688A4

7C227000EA72B407BC99FC51F2BC3F3DF5019B5A99C302

3A41AC16A560CCE416D8EC81E14B8BCB

ike 0:vpn01:83: dec ADBD335681A35FE91E39F12EC3

9C687D2E202308000000020000002D300000040000000D

021500090154657374
1124
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.