Assume the diagram below:

The following configuration is for a site-to-site tunnel; however, this option is also available for dynamic (remote access) tunnels.
This would require the FortiClient to be on version 7.4.1 and above. More details are visible in this document: IPsec VPN over TCP on Windows, macOS, and Linux 7.4.1.

1. Create an IPsec tunnel on both FortiGates via CLI and ensure the IKE version is 2.

FortiGate-A:

config vpn ipsec phase1-interface
    edit "TCP_IPSEC"
        set interface "port1"
        set peertype any
        set ike-version 2
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set remote-gw 10.47.2.115
        set psksecret XXX
    next
end

FortiGate-B:

config vpn ipsec phase1-interface
    edit "TCP_IPSEC"
        set interface "port1"
        set peertype any
        set ike-version 2
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set remote-gw 10.47.2.115
        set psksecret XXX
    next
end

2. Change the transport type to TCP.

config vpn ipsec phase1-interface
    edit "TCP_IPSEC"

        set transport tcp

 end

This would force the FortiGate to use TCP as the transport when sending/receiving the IKE packets for this tunnel. 

3. Enable the 'fortinet-esp'.

config vpn ipsec phase1-interface
    edit "TCP_IPSEC"

        set fortinet-esp enable

end

This would force the FortiGate to use TCP as the transport when sending/receiving the ESP packets for this tunnel. This is not supported with FortiClient as a dial-up client. So, it is advised to keep it disabled when using FortiClient.

By default, the FortiGate will use TCP port 4500. It is possible to change this to a different port number by going to the global settings and modifying the 'ike-tcp-port' option.

config system settings
    set ike-tcp-port <integer>
end

Verification:

FortiGate-A # diagnose vpn ike gateway list

vd: root/0
name: TCP_IPSEC
version: 2
interface: port1 3
addr: 10.47.4.134:4500 -> 10.47.2.115:1265
tun_id: 10.47.2.115/::10.47.2.115
remote_location: 0.0.0.0
network-id: 0
transport: TCP
created: 2589s ago
peer-id: 10.47.2.115
peer-id-auth: no
PPK: no
IKE SA: created 1/1 established 1/1 time 160/160/160 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 46 8dfbaaa88edc80a0/5f7b0e209692b481
direction: responder
status: established 2589-2589s ago = 160ms
proposal: aes128-sha256
child: no
SK_ei: 8d9660ccfe355d6a-0784d7294ccda0bb
SK_er: 6a965e82a1d16c31-6ff77b02919f43b5
SK_ai: 405c0521a1fce02a-209bbcd4cec91112-c7db90ebd6d8e398-f6a5274c037bbdac
SK_ar: f3eee165e4b19d60-e97fd94542279032-fc5f3d9bdb748405-6e58918d00e07d2e
PPK: no
message-id sent/recv: 0/2
QKD: no
lifetime/rekey: 86400/83540
DPD sent/recv: 00000000/00000000
peer-id: 10.47.2.115

Verification of the IKE listening port from tcpsock.

Note 1:

This feature only works with IKE version 2, and it does not support ADVPN.

Note 2:

For v7.6.1 and above, TCP port 443 is used by default to encapsulate ESP packets within TCP headers using its proprietary solution. 

In production, changing the port to TCP 443 can cause interruption in IPsec traffic and require 'diagnose vpn ike restart' to bring the tunnel back.

Starting in v7.6.3, if administrators assign port 443 for HTTPS administrative access on an interface that is also bound to an IPsec tunnel, FortiOS will display a warning indicating that HTTPS access on that port will no longer be available.

This is because port 443 is also used for IKE over TCP, and in such cases, IKE takes precedence over HTTPS, resulting in the loss of GUI access on that interface.

For more information, see this document: GUI warnings for IKE-TCP port conflicts 7.6.3.

Note:

1. IPsec over TCP is not supported for the FortiClient free version for macOS.
2. Caution regarding the usage of IKE over TCP: it should only be used when UDP ports 500/4500 are blocked. IKE TCP can significantly impact performance, as tunnels cannot be offloaded, and traffic is processed in the CPU user space. The IKE daemon runs as a single process, making it prone to reaching high CPU utilization (up to 99%) when IKE over TCP is enabled.

Related articles:
Technical Tip: How to use TCP as the failback transport for IKE

Technical Tip: How to configure FortiGate to use TCP encapsulation of IKE and IPSec packets