Technical Tip: IPsec VPN over TCP using FortiClient not establishing, with error message 'wrong transport, phase 1 uses non udp' in the FortiGate's IKE debug

amatos · ‎01-13-2025

Description

This article describes an issue where connection to IPSEC via FortiClient using TCP is not being established, even though it was configured in the FortiClient, as in the below example:

image (12).png

Scope

FortiGate, FortiClient.

Solution

In the IKE debugs in the FortiGate (diagnose debug application ike -1) it is possible to see the below error messages:

image (13).png

As stated in Technical Tip: How to use TCP as transport for IKE/IPsec traffic, it is necessary to configure the transport type to TCP also on the FortiGate's side, as configuring only in the FortiClient is not sufficient and will cause similar errors as the mentioned above.

To configure on the FortiGate`s side:

Change the transport type to TCP:

config vpn ipsec phase1-interface
edit "TCP_IPSEC"

set transport tcp

end

Enable the 'fortinet-esp'.

config vpn ipsec phase1-interface
edit "TCP_IPSEC"

set fortinet-esp enable

end

The IKE port must match the one configured in the FortiClient, in this case, 443. If not defined, the FortiGate will use 4500 by default.

config system settings
set ike-tcp-port <integer>
end

With that, the 'wrong transport, phase 1 uses non udp' error message shown in the IKE debug should no longer appear and the IPSEC VPN connection over TCP should be established.

Technical Tip: IPsec VPN over TCP using FortiClient not establishing, with error message 'wrong transport, phase 1 uses non udp' in the FortiGate's IKE debug

You are leaving our website