VPN through IPsec not Connecting (Egypt)

Currently I’m working in Saudi Arabia, we are using FortiGate 300E firewall, there is a VPN configured with Remote Access (Dialup) through IPsec Tunnel and we are letting users use FortiClient to connect.

The VPN is working fine locally inside Saudi Arabia and some of our users went to India and Dubai, also it is working fine, But some of the users who went to Egypt reported that VPN is not connecting we tried to troubleshoot but we did not reach to anything because VPN is working fine in the places we mentioned

Any suggestions

Update on comments after my testing

Basic network troubleshooting is always the first thing you should do.

1, Guide the user to identify their current public IP.
2, Run sniffer on your FortiGate for ports UDP/500 and UDP/4500 + the affected user’s public IP.
3, Let the user make another attempt at connection.
4, Check if their packets reach your FortiGate at all.

If there’s no packets reaching, you can start investigating the path in-between (talk to ISPs, etc). If the packets arrive, you can switch to debugging IPsec on the FortiGate (ike debug), and continue checking the negotiation message by message.

Providers in Egypt block IPSEC VPN (on order from government), for some you can request a permit that you are allowed to use IPSEC VPN (not easy to get).

I want to provide an update on the matter

I have tested on a couple of computers in Egypt and found that SSL-VPN is working only through the ISP “WE”

I can’t 100% guarantee but as per the test I did it is working with that ISP

We did some research from our side and we found someone talking about changing the IKE port, do you any idea if this might work or not
Still we are not sure how to implement it and what it might affect or what are the required changes from firewall side and client side

Also we might try to configure SSL-VPN do you have any idea if it will work or not

Changing the IKE port would be a bad idea, unless you change it on every connecting client (I would call this a non-starter).

SSL-VPN should work fine, since it runs on TCP/443 by default.

We did some research from our side and we found someone talking about changing the IKE port

Bash Muhandis - do yourself a favor and go straight to SSL VPN.

Chanigng the IKE port, is just going to further complicate things for you and your team in the future. And I am not sure how well the Egyptian Government would take to bypassing IPSEC restrictions.

You can ask your provider to provide you the form to allow IPSEC VPN as it’s required to run your business there.

Can take a while and not sure you get it but worth a try - if you have a local partner they might be able to help you on that matter with the provider too.

Client SSL VPN via TCP/443 standard port worked with all providers our users had - so just IPSEC is locked (and we tried several providers). Not sure if they have just stupid port blocks or if they recognize the protocol itself independent from what port is used. We didn’t try to screw up our IPSEC just for that and were lucky that our local partner was able to localize one internet link with IPSEC permission for us :slight_smile:

Second to this.

During covid where we heavily utilize vpn, we found out that a major telco provider choked the IKE connection both local and international.

Understandable as it’s a government owned provider.

We are going to try SSL-VPN and we will use customized port but still not sure if it will work or not

But for the IKE port would it work, if it is somewhat guaranteed
We can manage the clients

But still I did not find any source on how to change the settings in forticlient