Hi, I am running FortiOS 7.4.7 on a FortiGate-60F and am trying to migrate from SSLVPN to IPsec VPN.
I've managed to configure IPsec (IKEv2) dial-up to work fine, but I notice that when I set the mode to IPSec over TCP, FortiClient (v7.4.3) does not connect and times out. UDP mode works perfectly fine.
I also notice that TCP 4500 is not one of the local-in policies on the firewall.
Does a local-in policy need to be configured for this to work? Has anyone had any experience with this?
Thank you!
Created on 03-21-2025 11:38 PM Edited on 03-21-2025 11:38 PM
oh, by the way, you might need to "set npu-offload disable" at the phase1 config, instead of "set auto-asic-offload disable" on the policy to see the IKE debug output.
Toshi
Created on 03-22-2025 12:23 AM Edited on 03-22-2025 12:24 AM
Hi Toshi, thanks for getting back.
Regarding your comments:
You mentioned that you managed to get TCP transport to work. Could I know what version of FortiOS and Client you used, and whether it was a clean install or not?
I wonder if I'm running into some weird upgrade bug that is blocking TCP 4500 from listening.
Created on 03-22-2025 04:04 AM Edited on 03-22-2025 04:50 AM
Hi @ryanswj - it looks like a bug, wait until they release the 7.4.8 and recheck the behavior. Also, if possible, could you try the following?
- Enable fortinet-esp
config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport udp-fallback-tcp
set fortinet-esp enable
set fallback-tcp-threshold 10
next
end
- Confirm the changes:
diag vpn ike gateway list name "rav-HCVPN"
- Clear sessions:
diag sys session filter clear
diag sys session filter dport 4500
diag sys session clear
- Log in to FortiClient and confirm if it connects.
- Check if IPSec traffic is being received.
Note: If the above steps don’t work, disable fortinet-esp and run another series of tests.
config vpn ipsec phase1-interface
edit "rav-HCVPN"
set fortinet-esp disable
next
end
If it's still the same, set the transport to auto and force FortiClient to use TCP.
config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport auto
unset fortinet-esp enable
unset fallback-tcp-threshold 10
next
end
Hi Ricky, thanks for your reply.
@rtanagras wrote:
- Enable fortinet-esp
config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport udp-fallback-tcp
set fortinet-esp enable
set fallback-tcp-threshold 10
next
end
- Confirm the changes:
diag vpn ike gateway list name "rav-HCVPN"
- Clear sessions:
diag sys session filter clear
diag sys session filter dport 4500
diag sys session clear
- Log in to FortiClient and confirm if it connects.
- Check if IPSec traffic is being received.
Yes, this works, I can see the connection attempt on diag vpn ike gateway list but connection is in UDP mode. I also get the 2FA prompts.
However, I find that set fortinet-esp enable breaks even the UDP VPN connection - connection establishes fine, but I am not able to connect to anything over the tunnel.
unset fortinet-esp enable makes everything work properly again.
Here is the output of diag vpn ike gateway list name "rav-HCVPN"
vd: root/0
name: rav-HCVPN
version: 2
interface: wan1 5
addr: XX:4500 -> YY:500
tun_id: 10.0.0.5/::10.0.0.5
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 10s ago
eap-user: XX
2FA: yes
FortiClient UID: XX
pending-queue: 0
PPK: no
IKE SA: created 1/1
IPsec SA: created 0/0
@rtanagras wrote:
If it's still the same, set the transport to auto and force FortiClient to use TCP.
config vpn ipsec phase1-interface
edit "rav-HCVPN"
set transport auto
unset fortinet-esp enable
unset fallback-tcp-threshold 10
next
end
set-transport auto doesn't exist in FOS 7.4.6 apparently, so I've set it to udp-fallback-tcp. I've unset fortinet-esp and fallback-tcp-threshold for this test.
I force FortiClient to use IPsec-over-TCP, but FCT time-outs, I see the same SYN-ACK-RST thing I saw earlier, and there are no log entries in the firewall:
FW # diag vpn ike gateway list name "rav-HCVPN"
FW #
I'm using 7.4.2.1737 running on Win10. Not sure what you meant as "clean install" but I didn't see any errors when I installed it last year.
The FGT side is FG60F 7.4.6. And I set both sides to use ONLY TCP 4500. And it's still working when I tested last night.
Toshi
Hi Ryan
I see from your output that your client is resetting the connection.
localip to vpnserver: 54895 -> 4500 [SYN]
vpnserver to localip: 4500 -> 54895 [SYN, ACK]
localip to vpnserver: 54895 -> 4500 [ACK]
localip to vpnserver: 54895 -> 4500 [RST, ACK]
And you said "Using FCT on iOS, I can get log entries to appear, so I'm not sure what the issue is anymore".
I think it is a good idea to try other versions. Can you try 7.4.2 and 7.4.1?
not sure, but it looks like forticlient is rejecting it at this point. let's check the behavior when fortinet-esp is disabled in his testing. it also seems like he's using macOS for testing—if it's the latest version, it's on ARM, so only forticlient 7.4.3 will work. by default, it uses port 4500, which looks correct in his packet capture.
Created on 03-22-2025 06:41 PM Edited on 03-22-2025 06:45 PM
Hi Ricky, it's actually FCT 7.4.2 and 7.4.3 on Windows x64!
I've tried this on:
hi @ryanswj - okay, thanks for confirming.
Hi AEK, I've tested FCT 7.4.2 to no avail, I will try 7.4.1 later but I've heard that that also comes with its own set of bugs...
User | Count |
---|---|
2428 | |
1303 | |
778 | |
557 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.