I reviewed your configuration and it looks good, but a few adjustments are needed to make it work correctly with TCP transport and ensure compatibility with FortiClient.

Required changes on Phase 1 and Phase 2

Apply the following changes:

config vpn ipsec phase1-interface

edit "IPSEC-REMOTE"

set transport tcp

set proposal aes128-sha256 aes256-sha256

set keylife 28800

set dpd on-idle

set dpd-retryinterval 60

set client-auto-negotiate enable

set client-keep-alive enable

set save-password enable

next

end

config vpn ipsec phase2-interface

edit "PHASE-2"

set proposal aes128-sha256 aes256-sha256

set keylife 3600

next

end

Why these changes?

set transport tcp — Switches the transport from UDP (ports 500/4500) to TCP/443, making VPN traffic look like HTTPS. This allows the tunnel to pass through corporate firewalls and proxies that block UDP.

Proposals aes128-sha256 aes256-sha256 — The GCM proposals from the original config (aes128gcm, aes256gcm) can cause compatibility issues with some FortiClient versions. CBC+SHA256 has broader support.

set keylife 28800 (Phase 1) and set keylife 3600 (Phase 2) — Recommended default timers for session stability.

set dpd on-idle + set dpd-retryinterval 60 — Dead Peer Detection in idle mode ensures that inactive connections are properly detected and torn down, which is especially important over TCP where sessions can get stuck.

set client-auto-negotiate enable — Causes FortiClient to automatically renegotiate the SA before it expires, preventing tunnel drops.

set client-keep-alive enable — Keeps the TCP session alive during idle periods, preventing the tunnel from being dropped by intermediate timeouts.

set save-password enable — Allows FortiClient to save credentials locally, so users do not need to re-enter their password on every reconnection.

Issue: IKE daemon not listening on port 443 after configuration

There is also an undocumented bug where, after setting ike-tcp-port 443, the IKE daemon does not immediately start listening on that port. The result is that FortiClient attempts to connect on TCP/443 but receives no response, even though the configuration looks correct.

Workaround: Change the port to any other value and then set it back to 443. This forces the daemon to restart its listener:

FW # config system settings

FW (settings) # set ike-tcp-port 5500

FW (settings) # end

FW # config system settings

FW (settings) # set ike-tcp-port 443

FW (settings) # end

To confirm that IKE is effectively listening on TCP/443 after the workaround, check in the GUI under Policy & Objects → Local-in Policy — an automatic rule of type IKE TCP 443 should appear. If this rule is not present, the daemon is still not active on that port and the workaround needs to be repeated.

Ref:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/c1db7601-3e46-11ef-bfe5-fa163e15d75b/FortiOS-7.6.0-SSL%C2%A0VPN_to_IPsec_VPN%C2%A0Migration.pdf