Description |
This article describes an issue where a VPN user is unable to connect Dialup IPSEC VPN with the FortiClient version (7.X.) as the dialup client when multiple Diffie-Hellman groups are selected.
The ike phase-1 negotiated with SA proposal chosen, but timeout with 'ike 0:<tunnel>:<xx>: parse error ' error.
The ike debug output is shown below:
ike 0:eeb4c223b2101232/0000000000000000:27: SA proposal chosen, matched gateway Dialup |
Scope | FortiGate and FortiClient 7.0 and above. |
Configure FortiClient to use only one Diffie-Hellman (DH) group with VPN phase 1 aggressive mode configuration. For example:
FortiGate: Dialup IPSEC VPN is configured to accept Diffie-Hellman (DH) groups 5 and 14 in phase 1 interface configurations.
config vpn ipsec phase1-interface set dhgrp 14 5 <--
FortiClient: Edit VPN Connection -> Advanced Settings -> Phase 1 -> DH Group -> Select only one DH group 14 or 5 to match. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.