FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes an issue where a VPN user is unable to connect Dialup IPSEC VPN with the FortiClient version (7.X.) as the dialup client when multiple Diffie-Hellman groups are selected.
The ike phase-1 negotiated with SA proposal chosen, but timeout with 'ike 0:<tunnel>:<xx>: parse error ' error.
The ike debug output is shown below:
ike 0:eeb4c223b2101232/0000000000000000:27: SA proposal chosen, matched gateway Dialup ike 0:Dialup: created connection: 0xdd48830 3 10.47.2.6->10.47.2.149:1011. ike 0:Dialup:27: DPD negotiated ike 0:Dialup:27: XAUTHv6 negotiated ike 0:Dialup:27: peer supports UNITY ike 0:Dialup:27: enable FortiClient license check ike 0:Dialup:27: enable FortiClient endpoint compliance check, use 169.254.2.1 ike 0:Dialup:27: selected NAT-T version: RFC 3947 ike 0:Dialup:27: cookie eeb4c223b2101232/5cedbcca290d1714 ike 0:Dialup:27: ISAKMP SA eeb4c223b2101232/5cedbcca290d1714 key 16:4F86B6E5801A736253390A3DF95E9F81 ... ike 0:Dialup:27: parse error <-- ... ike 0:Dialup:27: negotiation timeout, deleting ike 0:Dialup: connection expiring due to phase1 down
Scope
FortiGate and FortiClient 7.0 and above.
Configure FortiClient to use only one Diffie-Hellman (DH) group with VPN phase 1 aggressive mode configuration.
For example:
FortiGate:
Dialup IPSEC VPN is configured to accept Diffie-Hellman (DH) groups 5 and 14 in phase 1 interface configurations.
config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface "port1" set mode aggressive set peertype one set net-device disable set mode-cfg enable set proposal aes128-sha1 aes256-sha256
set dhgrp 14 5 <--
FortiClient:
Edit VPN Connection -> Advanced Settings -> Phase 1 -> DH Group -> Select only one DH group 14 or 5 to match.
