Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michael2406
New Contributor III

Created on ‎02-19-2025 06:27 AM

FortiGate - Dial-UP-IPSEC Tunnel - Problem with TCP as transport mode

Hello. I want to setup a dial up ipsec vpn tunnel from FortiClient to FortiGate. The tunnel is working with transport mode "udp" and port "500". 

 

When I change the transport mode in phase1-settings to "tcp" or "auto" and than use "tcp" in FortiClient, the FortiClient is running in an timeout. I have tested with local and sso users. Both same beahviour. I also tested different tcp ike-ports in "conf system settings". 

 

Any ideas?

 

FortiGate: 7.4.7

FortiClient: 7.4.2 

Labels:
386
0 Kudos
8 REPLIES 8
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-19-2025 09:34 AM Edited on ‎02-19-2025 09:36 AM

When I tried the same in similar environment, I encountered the same/similar issue. I opened a ticket to ask TAC. Then got this instruction to enable EAP.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-IKEv2-for-a-dial-up-IPsec-tunn...
I indeed saw "gw validation failed" error in IKE debugging.

After that, it started working.

Toshi

371
michael2406
New Contributor III
In response to Toshi_Esumi

Created on ‎02-20-2025 02:20 AM

EAP is already enabled. 

324
0 Kudos
MZBZ
Staff
Staff

Created on ‎02-19-2025 10:30 PM Edited on ‎02-19-2025 10:36 PM

Open a TAC ticket with logs according to: https://community.fortinet.com/t5/FortiClient/Troubleshooting-Tip-Collecting-logs-for-addressing-VPN...

Also include packet captures from client and FortiGate side.

 

M. B.
352
michael2406
New Contributor III
In response to MZBZ

Created on ‎02-20-2025 02:20 AM

Thank you. FortiGate see FSSO Login than no answer.

FortiClient Log says: "No response from the peer, phase1 retransmit reaches maximum count"

326
0 Kudos
michael2406
New Contributor III

Created on ‎02-20-2025 07:11 AM

Here is the log from FortiClient. Interesting thing: Why is it using port 500 even if I change it to tcp and 443?

Bug in FortiClient?

 

msg="No response from the peer, phase1 retransmit reaches maximum count" vpntunnel=test2 locip=192.XXX.XXX.XXX locport=500 remip=XX.XXX.XXX.XXX remport=500

300
0 Kudos
MZBZ
Staff
Staff
In response to michael2406

Created on ‎02-20-2025 09:47 AM

Export FortiClient config and confirm the port+proto and check the values under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\IPSec\Tunnels 

 

 

M. B.
295
0 Kudos
michael2406
New Contributor III
In response to MZBZ

Created on ‎02-20-2025 10:12 PM

For me both is looking good. 

 

config.pngregistry.png

268
0 Kudos
MZBZ
Staff
Staff

Created on ‎02-21-2025 07:27 PM

To address this issue, it's necessary to review the FortiGate and FortiClient configurations as well as the IKE debug logs. Because these contain confidential personal information, I strongly recommend opening a TAC ticket. Alternatively, you could share them here publicly, although this is not advisable.

M. B.
252
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.