Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff & Editor
Staff & Editor

Created on ‎03-24-2024 10:14 PM Edited on ‎08-21-2025 08:35 AM By Staff

Article Id 306277

Technical Tip: How to use TCP as the failback transport for IKE

Description This article explains that as of v7.4.2, FortiGate can use TCP as the transport protocol for IKE traffic in cases where the phase1 tunnel fails to establish using UDP.
Scope FortiGate v7.4.2 or above.
Solution

diagram.png

 

Create an IPsec tunnel on both FortiGates via CLI and set the 'udp-fallback-tcp' as the transport:

In Hub:

 

config vpn ipsec phase1-interface
    edit "HUB"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set add-route disable
        set dpd on-idle
        set transport udp-fallback-tcp
        set psksecret ENC /Xfyk1KMHQh8VPT+pvBOVDYLxueOIIIyjPgV9wVy9

ODMGgV6e2SmrKZ8RV7lN2zYi90YfSjtSReqnG03jZprua5ilYLGr

+08lSf7ZCTmaVb4SUV9cwAT3ZSi2Uun9QeU4YX/4d2hLtYMGIjSp

4KNNztPF8p5bY1NiHb9FUVV1/WDKrfcjmD3ZHuQFsGs1FWZSYf1yg==
        set dpd-retryinterval 5
    next
end

 

In Spoke (FortiGate-A):

 

config vpn ipsec phase1-interface
    edit "ToSiteB"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set proposal aes128-sha256
        set transport udp-fallback-tcp
        set remote-gw 10.47.3.71
        set psksecret ENC oZ4v2sjQVKgcYiKyqhYc1Z5WwUxM6HY7q/lCsZvYAI4QLmvnw2G92wvvO5M8dTx3TvK0EoJY3w8HqAYE1LXw2qWZoixyl

sxLVDccgUrm7PgjsfH1CnbPfr2pRAPhLNV7zAFqoAHZSgnas/7FTmEwWYw

fBn1CInk0jJkY9j4EJ39f/ZevB9NtGbSRr8fm7NQdZ2VYFA==
    next
end


Verification in IKE debug:

Spoke tries to form the tunnel using UDP as the transport:

 

2024-03-24 18:53:41.348499 ike V=root:0:ToSiteB:63: sent IKE msg (SA_INIT): 10.30.2.115:500->10.47.3.71:500, len=448, vrf=0, id=af39a06c1ad1a5a1/0000000000000000, oif=3

 

After 15s, the Spoke tries to form the tunnel using TCP:


2024-03-24 18:53:56.324502 ike V=root:0:ToSiteB:63: udp-fallback-tcp timeout, use tcp port 4500
2024-03-24 18:53:56.326903 ike V=root:creates tcp-transport(vd=0, vrf=0, intf=3:3, 10.30.2.115:6299->10.47.3.71:4500 sock=31 refcnt=2 ph1=0xe4400a0) (1).
2024-03-24 18:53:56.331655 ike V=root:puts tcp-transport(vd=0, vrf=0, intf=3:3, 10.30.2.115:6299->10.47.3.71:4500 sock=31 refcnt=1 ph1=0xe4400a0

 

To verify the transport of the tunnel, use the command ' diagnose vpn ike gateway list <name>':

 

Kancil-kvm40 # diagnose vpn ike gateway list name ToSiteB | grep transport
transport: TCP

 

The 15s is the default timer before the FortiGate uses the TCP, this timer can be changed between <1> to <300> using the ' fallback-tcp-threshold' option under phase1-interface settings.

 

config vpn ipsec phase1-interface
    set fallback-tcp-threshold <1> to <300>
end

 

Note: Starting from FortiOS 7.6.0, in the config vpn ipsec phase1-interface command, the option set transport udp-fallback-tcp has been changed to set transport auto, and set fallback-tcp-threshold has been changed to set auto-transport-threshold.

See the release notes in the FortiGate documentation.

 

Related document:
3276
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.