Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ryanswj
New Contributor

Created on ‎03-21-2025 04:34 AM Edited on ‎03-21-2025 04:35 AM

FortiClient Remote Access IPsec-over-TCP not working

Hi, I am running FortiOS 7.4.7 on a FortiGate-60F and am trying to migrate from SSLVPN to IPsec VPN.

 

I've managed to configure IPsec (IKEv2) dial-up to work fine, but I notice that when I set the mode to IPSec over TCP, FortiClient (v7.4.3) does not connect and times out. UDP mode works perfectly fine.

 

I also notice that TCP 4500 is not one of the local-in policies on the firewall.

 

Does a local-in policy need to be configured for this to work? Has anyone had any experience with this?

 

Thank you!

 

Labels:
880
0 Kudos
30 REPLIES 30
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎03-21-2025 11:38 PM Edited on ‎03-21-2025 11:38 PM

oh, by the way, you might need to "set npu-offload disable" at the phase1 config, instead of "set auto-asic-offload disable" on the policy to see the IKE debug output.

Toshi

252
0 Kudos
ryanswj
New Contributor
In response to Toshi_Esumi

Created on ‎03-22-2025 12:23 AM Edited on ‎03-22-2025 12:24 AM

Hi Toshi, thanks for getting back.

Regarding your comments:

 

  1. Yes, FortiGate is at 7.4.7 (upgraded from 7.2.11) and FortiClient being used is 7.4.3
  2. "set fortinet-eap" seems to break FCT for UDP-based IPsec connections, so I disabled it
  3. If I set transport tcp, no connection can be made - FCT times out, and nothing is seen on fortigate diag debug app ike -1
  4. It I set transport udp-fallback-tcp, I can connect via UDP, and I see the right debug messages appear on diag debug app ike -1, but if I force FCT to use TCP, it times out, same as above
  5. Changing the default tcp port from 4500 to some other port doesn't work either

You mentioned that you managed to get TCP transport to work. Could I know what version of FortiOS and Client you used, and whether it was a clean install or not?

 

I wonder if I'm running into some weird upgrade bug that is blocking TCP 4500 from listening.

241
0 Kudos
rtanagras
Staff
Staff
In response to ryanswj

Created on ‎03-22-2025 04:04 AM Edited on ‎03-22-2025 04:50 AM

 

Hi @ryanswj - it looks like a bug, wait until they release the 7.4.8 and recheck the behavior. Also, if possible, could you try the following?

 

- Enable fortinet-esp

config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport udp-fallback-tcp
set fortinet-esp enable
set fallback-tcp-threshold 10
next
end

 

- Confirm the changes:

diag vpn ike gateway list name "rav-HCVPN"

 

- Clear sessions:

diag sys session filter clear

diag sys session filter dport 4500

diag sys session clear

 

- Log in to FortiClient and confirm if it connects.

 

- Check if IPSec traffic is being received.

 

Note: If the above steps don’t work, disable fortinet-esp and run another series of tests.


config vpn ipsec phase1-interface
edit "rav-HCVPN"
set fortinet-esp disable
next
end

 

If it's still the same, set the transport to auto and force FortiClient to use TCP.

 

config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport auto
unset fortinet-esp enable
unset fallback-tcp-threshold 10
next
end

Best,
Ricky
196
0 Kudos
ryanswj
New Contributor
In response to rtanagras

Created on ‎03-22-2025 06:39 PM

Hi Ricky, thanks for your reply.

@rtanagras wrote:

 

- Enable fortinet-esp

config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport udp-fallback-tcp
set fortinet-esp enable
set fallback-tcp-threshold 10
next
end

 

- Confirm the changes:

diag vpn ike gateway list name "rav-HCVPN"

 

- Clear sessions:

diag sys session filter clear

diag sys session filter dport 4500

diag sys session clear

 

- Log in to FortiClient and confirm if it connects.

 

- Check if IPSec traffic is being received.

Yes, this works, I can see the connection attempt on diag vpn ike gateway list but connection is in UDP mode. I also get the 2FA prompts.

 

However, I find that set fortinet-esp enable breaks even the UDP VPN connection - connection establishes fine, but I am not able to connect to anything over the tunnel.

 

unset fortinet-esp enable makes everything work properly again.

 

Here is the output of diag vpn ike gateway list name "rav-HCVPN"

vd: root/0
name: rav-HCVPN
version: 2
interface: wan1 5
addr: XX:4500 -> YY:500
tun_id: 10.0.0.5/::10.0.0.5
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 10s ago
eap-user: XX
2FA: yes
FortiClient UID: XX
pending-queue: 0
PPK: no
IKE SA: created 1/1
IPsec SA: created 0/0

 

@rtanagras wrote:

 

If it's still the same, set the transport to auto and force FortiClient to use TCP.

 

config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport auto
unset fortinet-esp enable
unset fallback-tcp-threshold 10
next
end

set-transport auto doesn't exist in FOS 7.4.6 apparently, so I've set it to udp-fallback-tcp. I've unset fortinet-esp and fallback-tcp-threshold for this test.


I force FortiClient to use IPsec-over-TCP, but FCT time-outs, I see the same SYN-ACK-RST thing I saw earlier, and there are no log entries in the firewall:

FW # diag vpn ike gateway list name "rav-HCVPN"

FW #
123
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to ryanswj

Created on ‎03-22-2025 10:04 AM

I'm using 7.4.2.1737 running on Win10. Not sure what you meant as "clean install" but I didn't see any errors when I installed it last year.
The FGT side is FG60F 7.4.6. And I set both sides to use ONLY TCP 4500. And it's still working when I tested last night.

Toshi

146
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-22-2025 01:50 AM

Hi Ryan

I see from your output that your client is resetting the connection.

localip to vpnserver: 54895 -> 4500 [SYN]
vpnserver to localip: 4500 -> 54895 [SYN, ACK]
localip to vpnserver: 54895 -> 4500 [ACK]
localip to vpnserver: 54895 -> 4500 [RST, ACK]

And you said "Using FCT on iOS, I can get log entries to appear, so I'm not sure what the issue is anymore".

I think it is a good idea to try other versions. Can you try 7.4.2 and 7.4.1?

AEK
AEK
230
0 Kudos
rtanagras
Staff
Staff
In response to AEK

Created on ‎03-22-2025 04:12 AM

not sure, but it looks like forticlient is rejecting it at this point. let's check the behavior when fortinet-esp is disabled in his testing. it also seems like he's using macOS for testing—if it's the latest version, it's on ARM, so only forticlient 7.4.3 will work. by default, it uses port 4500, which looks correct in his packet capture.

Best,
Ricky
192
0 Kudos
ryanswj
New Contributor
In response to rtanagras

Created on ‎03-22-2025 06:41 PM Edited on ‎03-22-2025 06:45 PM

Hi Ricky, it's actually FCT 7.4.2 and 7.4.3 on Windows x64!

 

I've tried this on:

  • Azure VM running Win10 22H2 x64
  • Laptop running Win11 23H2 x64
118
0 Kudos
rtanagras
Staff
Staff
In response to ryanswj

Created on ‎03-23-2025 12:05 AM

hi @ryanswj - okay, thanks for confirming.

Best,
Ricky
87
0 Kudos
ryanswj
New Contributor
In response to AEK

Created on ‎03-22-2025 06:40 PM

Hi AEK, I've tested FCT 7.4.2 to no avail, I will try 7.4.1 later but I've heard that that also comes with its own set of bugs...

119
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.