FortiClient Remote Access IPsec-over-TCP not working

ryanswj · ‎03-21-2025

Hi, I am running FortiOS 7.4.7 on a FortiGate-60F and am trying to migrate from SSLVPN to IPsec VPN.

I've managed to configure IPsec (IKEv2) dial-up to work fine, but I notice that when I set the mode to IPSec over TCP, FortiClient (v7.4.3) does not connect and times out. UDP mode works perfectly fine.

I also notice that TCP 4500 is not one of the local-in policies on the firewall.

Does a local-in policy need to be configured for this to work? Has anyone had any experience with this?

Thank you!

rtanagras · ‎03-21-2025

as far as i know, you don’t need to configure a local-in policy for it to work, unless there are existing restrictions configured on your fortigate that block certain services from entering the wan interface.

Best,
Ricky

AEK · ‎03-21-2025

Hi Ryan

Did you check this tech tip?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-TCP-as-transport-for-IKE-IPsec-...

AEK

ryanswj · ‎03-21-2025

Hi there, yep, I've read through this tech tip, and have played with the following settings

set transport tcp
set fortinet-esp enable

Set or unset, it makes no difference, unfortunately.

maulishshah · ‎03-21-2025

Hi Ryan,

Follow the shared article, and if the configuration is okay and still unable to connect the FortiClient.

Please run the following logs

di de application ike -1

di de console timestamp en

di de en

Now, initiate the connection from FortiClient and verify what could be error

Here is the troubleshooting tip for IPSEC VPN:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPN-tunnels/ta-p/195955

Maulish Shah

ryanswj · ‎03-21-2025

Hi Maulish,

Thanks for your reply. I enabled the debugging messages but didn't even see the FC attempting to hit the box.

FortiClient says that the connection timed out. There's working Internet connection on the box.

maulishshah · ‎03-21-2025

Hi Ryan, Can you please run wireshark capture on windows machine that you installed FortiClient and run the following command on the FortiGate to verify the communication?

di sniff packet any ' host x.x.x.x ' 6 0 l

X is the public IP that you are trying to connect from.

Maulish Shah

ryanswj · ‎03-21-2025

Hi Maulish,

the diag sniff packet command doesn't show anything.

Wireshark on the machine with FCT says:

localip to vpnserver: 54895 -> 4500 [SYN]

vpnserver to localip: 4500 -> 54895 [SYN, ACK]

localip to vpnserver: 54895 -> 4500 [ACK]

localip to vpnserver: 54895 -> 4500 [RST, ACK]

Somewhere along the line, the connection is dropped...

ryanswj · ‎03-21-2025

Here's the config of the phase1-interface:

config vpn ipsec phase1-interface
    edit "ra-HCVPN"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 X.X.1.11
        set ipv4-dns-server2 X.X.1.16
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: ra-HCVPN (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set transport udp-fallback-tcp
        set fortinet-esp enable
        set ipv4-start-ip X.Y.0.1
        set ipv4-end-ip X.Y.0.10
        set save-password enable
        set psksecret ENC XXX

rtanagras · ‎03-21-2025

based on the config (set transport udp-fallback-tcp) udp is the preferred and then fallback is tcp.

change to

config vpn ipsec phase1-interface
edit "ra-HCVPN"
set transport tcp
end

to verify:

diag vpn ike gateway list
look for 'transport: TCP' -> this confirm that you're using TCP

Best,
Ricky

FortiClient Remote Access IPsec-over-TCP not working

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website