Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ryanswj
New Contributor

Created on ‎03-21-2025 04:34 AM Edited on ‎03-21-2025 04:35 AM

FortiClient Remote Access IPsec-over-TCP not working

Hi, I am running FortiOS 7.4.7 on a FortiGate-60F and am trying to migrate from SSLVPN to IPsec VPN.

 

I've managed to configure IPsec (IKEv2) dial-up to work fine, but I notice that when I set the mode to IPSec over TCP, FortiClient (v7.4.3) does not connect and times out. UDP mode works perfectly fine.

 

I also notice that TCP 4500 is not one of the local-in policies on the firewall.

 

Does a local-in policy need to be configured for this to work? Has anyone had any experience with this?

 

Thank you!

 

Labels:
801
0 Kudos
30 REPLIES 30
ryanswj
New Contributor
In response to rtanagras

Created on ‎03-21-2025 05:55 AM

Hi Ricky, actually udp-fallback-tcp is the expected behavior. Problem is that the tcp part never works - it just fails to connect. UDP works flawlessly. SSLVPN also works flawless on this box.

248
0 Kudos
maulishshah
Staff
Staff

Created on ‎03-21-2025 05:34 AM

Have you read this document to verify a few more settings: https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/567401/dialup-ipsec-vpn-usin...

Maulish Shah
269
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-21-2025 09:54 AM

What's in IKE debug? diag debug app ike -1

Toshi

224
0 Kudos
fn-hmx
New Contributor
In response to Toshi_Esumi

Created on ‎03-21-2025 06:34 PM Edited on ‎03-21-2025 06:35 PM

deleted

190
0 Kudos
ryanswj
New Contributor
In response to Toshi_Esumi

Created on ‎03-21-2025 06:42 PM

Hi Toshi,

Unfortunately, it seems like diag debug app ike -1 doesn't even print anything.

It seems like FCT won't establish the connection properly.

Using FCT on iOS, I can get log entries to appear, so I'm not sure what the issue is anymore.

178
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to ryanswj

Created on ‎03-21-2025 07:35 PM

What's your FortiClient version and what did you set up at the app? Can you share the screen, especially under "+Advanced Settings"?

Toshi

167
0 Kudos
ryanswj
New Contributor
In response to Toshi_Esumi

Created on ‎03-21-2025 07:57 PM

Hi Toshi, FCT is at v7.4.3, the latest and greatest. Open to trying some older version if required.

I'll get you a screenshot soon.

Thanks for all your help.

158
0 Kudos
ryanswj
New Contributor
In response to Toshi_Esumi

Created on ‎03-21-2025 08:43 PM Edited on ‎03-21-2025 08:44 PM

Hi Toshi, please find attached the VPN client configuration.

The client connects fine over IKE over UDP and Auto mode, but if I force IPsec over TCP, it times out.

The Gate is a 60F that was recently upgraded from 7.2.11.

Screenshot 2025-03-22 114028.pngScreenshot 2025-03-22 114049.png

Also posting the relevant config lines for you here:

config vpn ipsec phase1-interface
    edit "rav-HCVPN"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 X.X.1.11
        set ipv4-dns-server2 X.X.1.16
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: rav-HCVPN (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set transport udp-fallback-tcp
        set ipv4-start-ip 172.24.0.1
        set ipv4-end-ip 172.24.0.10
        set save-password enable
        set psksecret ENC XXX
    next
end

I had to unset fortinet-esp, if not the tunnel would connect over UDP but no traffic would pass.

 

129
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to ryanswj

Created on ‎03-21-2025 10:33 PM Edited on ‎03-21-2025 10:57 PM

I thought this feature was supported from FortiOS 7.4.2 or later as mentioned in this KB:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-TCP-as-transport-for-IKE-IPsec-...
So I tested it myself last year with 7.4.6 and it worked. 

But your original post was mentioning "FortiOS 7.4.7". Which is correct?
Oh, you said "upgraded from 7.2.11". So it should work.

 

How about "transport tcp"? Would if work if you set both ends instead of "udp-fallback-tcp"? That's what I tested before.

In either case, IKE debug should show proper output regardless it connects successfully or fails.

Toshi

107
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎03-21-2025 11:34 PM

By the way, I referred the client side doc first
https://docs.fortinet.com/document/forticlient/7.4.0/new-features/914884/ipsec-vpn-over-tcp-7-4-1
so I didn't set "fortinet-eap" enable either. But when I sniffed the traffic after the tunnel got up, packets through the tunnel was encapsulated in TCP 4500 (default).

Toshi

88
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.