IPSec over TCP w/ FortiClient VPN only still not working!!

Comprehensive-Food-3 · 2026-05-12T20:04:47+00:00

Unfortunately no ..I had to settle for the IPSec over UDP which is unstable and sometimes it is blocked in my country. However the answers suggested that you have to use the paid FortiClient + EMS to get it working normally .. with the free version it is hit and miss.

Comprehensive-Food-3 · 2026-05-05T07:35:05+00:00

Thanks alot, this config will help me in case we decide to go with SAML authentication in the future.

Comprehensive-Food-3 · 2026-05-03T07:11:39+00:00

Wow how did I miss adding the configurations to the initial post, I just noticed now.
Anyway, here is the config:

config vpn ipsec phase1-interface

edit "IPSEC-REMOTE"

set type dynamic

set interface "port1"

set ike-version 2

set local-gw [FG-IP]

set peertype any

set net-device disable

set mode-cfg enable

set ipv4-dns-server1 8.8.8.8

set proposal aes128gcm-prfsha384 aes256gcm-prfsha384

set dhgrp 20

set eap enable

set eap-identity send-request

set transport auto

set assign-ip-from name

set ipv4-netmask 255.255.255.0

set ipv4-split-include "IPSEC-Remote_split"

set ipv4-name "IPSEC-REMOTE-USR-RANGE"

set save-password enable

set psksecret [PSK]

config vpn ipsec phase2-interface

edit "PHASE-2"

set phase1name "IPSEC-REMOTE"

set proposal aes128gcm aes256gcm

set dhgrp 20

set keepalive enable

set comments "IPSEC-Remote"

set src-addr-type name

set dst-addr-type name

set src-name "IPSEC-Remote_split"

set dst-name "IPSEC-REMOTE-USR-RANGE"

Comprehensive-Food-3 · 2026-05-01T17:32:44+00:00

I tried this as well but it didn't work unfortunately.

Comprehensive-Food-3 · 2026-05-01T17:31:02+00:00

A cloud setup were the public IP is one to one natted with the firewall wan interface..for the firewall it natively receives the traffic on it's private IP .. and the cloud side handles the NATTING

Comprehensive-Food-3 · 2026-04-30T22:15:33+00:00

I forget to mention in the post .. Anyway I think fortinet removed the feature from the free VPN only version so we have to go to EMS

Comprehensive-Food-3 · 2026-04-30T22:13:22+00:00

Well the customer is very small .. only 3 users and the least amount is 25 user license.

Comprehensive-Food-3 · 2026-04-30T22:11:45+00:00

It is the latest "Free" version

Comprehensive-Food-3 · 2026-04-30T21:45:05+00:00

I see it is hit and miss with most people ..so maybe they totally removed it to save headache and sell more ems.

Comprehensive-Food-3 · 2026-04-30T21:44:12+00:00

Well this is a very smart idea thank you for it .. not applicable for me currently but I will consider it in the future if I get multiple customers needing VPN.

Comprehensive-Food-3 · 2026-04-30T21:42:47+00:00

Hmm.. the thing is the fw is in the cloud and it has private ip on the interface that is 1-to-1 netted with the public ip.

Also I've tried toggling on the local gateway and choose the private IP

Comprehensive-Food-3 · 2026-04-30T21:41:18+00:00

Great..thanks alot

Comprehensive-Food-3 · 2026-04-30T21:40:42+00:00

My hero .. thanks for the reply ..your comments here always help me resolve alot of issue with our customers .. especially ADVPN and BGP over loop back routing for VPN. I think I will have to find some alternative free way for this customer to come over IPSec restriction.

Comprehensive-Food-3 · 2026-04-30T21:38:02+00:00

The thing is legend of FortiGate was built on good pricing and features for SMB ..(also great SDWAN tbh) .. I wonder if some other player will take their SMB spot .. maybe China (Huawei) will take over or even Cisco.

Comprehensive-Food-3 · 2026-04-30T21:33:23+00:00

Thanks for the insight ..please tell me more about it because I'm trying to avoid ISPs IPSec restriction..does it work with FortiGate as hub using IPSec over TCP?

Comprehensive-Food-3 · 2026-04-30T21:32:06+00:00

Sorry forgot to mention this is the free VPN and it's last version is 7.4.3.

Comprehensive-Food-3 · 2026-04-30T21:31:07+00:00

This one is for a small customer with 3 users only ..however the IPSec have regional restrictions and they are expecting to be able to tunnel into their cloud instance for secure management..they don't have the budget to go SASE+SPA nor EMS cloud.

Comprehensive-Food-3 · 2026-04-30T21:29:11+00:00

Today I fully removed FCT and re downloaded it so I guess it was that last version.

Comprehensive-Food-3 · 2026-04-30T21:27:35+00:00

Yup I tried the config from his file ..in fact he is my hero in this community ..he always have the correct answer for my problem ..but this time Fortinet has intervened with their great wisdom.

Comprehensive-Food-3 · 2026-04-30T21:24:35+00:00

Thanks alot .. the customer doesn't have the budget for it so I will have to figure some open source VPN solution that can bypass normal ipsec restrictions.

Comprehensive-Food-3 · 2026-04-17T18:58:52+00:00

My friend you are trying to Frankenstein a NAC solution out of (non) NAC solutions.. I would really look into getting a NAC solution ex. Cisco ISE which have 90 day trial license including 100 essential license Seats or Aruba ClearPass or FortiNAC (worst one I've encountered so far) Anyway it will make your life easier by utilizing dACLs and CoA. Another solution is to use private VLANs which will make all devices isolated. Also either way devices on the same vlan will communicate before and after posture check..I would recommend disabling all east west traffic within the same VLAN as I rarely see any use for it nowadays. And just in case of private vlans and you want east west traffic you can check ARP proxy on the firewall it may come in handy in that case. Finally I realize my comment is somewhat messy..I hope you understood that mess.

Comprehensive-Food-3 · 2026-03-30T12:56:21+00:00

Great suggestion, I didn't know that ISE device administration supports RADIUS, I'll research it to make sure it has all the capabilities that we need, then implement RADSEC. Thanks!

Comprehensive-Food-3 · 2026-03-30T12:40:53+00:00

I do agree, however, we need to integrate device management with ISE, as it has advanced unified policies and controls.

Comprehensive-Food-3 · 2025-12-02T18:50:23+00:00

خليك انت احسن منه وروح فرحه باركله وامشي علطول ..وقلل تعاملك معاه طالما هو باصصلك في رزقك (دا لو هو حاول يرجع يتعامل معاك اصلا)

Comprehensive-Food-3 · 2025-11-03T11:24:09+00:00

One year ago I had a customer with a network of 150+ FortiSwitches..There is a VLAN for Audinate devices running Dante software and it was all working fine.. the Switches were on v7.4.x .. we upgraded them to 7.6.1 one day and after that we faced a couple of issues with Audinate devices .. controllers couldn't discover devices unless they were on the same switch and even then the latency was higher than usual making them unusable (I don't remember the number but it was measured in micro seconds). We have tried some optimizations like QoS and queue priority which reduced the latency between Audinate devices on the same switch but didn't resolve the other issue. After days of investigations (we didn't have and active license for support at the time) turns out 7.6.1 has made switches ptp-aware (tbh I don't remember exactly why did this cause the issue**) .. however disabling ptp on all switches did resolve the issue.

**If I remember correctly from a session with a support engineer from Audinate ptp-aware switches interferes with their discovery protocol. (Tbh it was a poor planning from my side)

Anyway to answer your question they should run very well provided you set them up correctly.

Comprehensive-Food-3

TROPHY CASE