DescriptionWhen FortiClient is configured to connect Agressive mode with multiple matching Diffie-Hellman (DH) groups selected, the following error may be seen in the FortiClient logs when 'debug' level is enabled even though the configuration matches on both ends.
This article describes this error .
...
6/22/2016 10:35:09 AM Debug VPN failed to compute dh value.
...
On the FortiGate's IKE debug re-transmission may be seen as in the example below, leading to negotiation timeout:
...
ike 0:Test:603279: sent IKE msg (retransmit): 161.238.252.1:4500->186.9.132.149:23120, len=600, id=a7ccc44d6b53071f/db5831cf60f76ecc
...
ike 0:Test:603279: sent IKE msg (P1_RETRANSMIT): 161.238.252.1:4500->186.9.132.149:23120, len=600, id=a7ccc44d6b53071f/db5831cf60f76ecc
...
ike 0:Test:603279: sent IKE msg (P1_RETRANSMIT): 161.238.252.1:4500->186.9.132.149:23120, len=600, id=a7ccc44d6b53071f/db5831cf60f76ecc
ike 0:Test:603279: negotiation timeout, deleting
ike 0:Test: connection expiring due to phase1 down
ike 0:Test: deleting
ike 0:Test: flushing
ike 0:Test: sending SNMP tunnel DOWN trap
ike 0:Test: flushed
ike 0:Test: reset NAT-T
ike 0:Test: deleted
Solution
Select only one matching 'DH' group value on FortiGate and FortiClient IPsec VPN configuration.
