Troubleshooting Tip: Android FortiClient failed to connect to IKEv1 IPsec VPN tunnel after upgraded to FortiClient version 7.4.6 GA

Description

This article describes how to troubleshoot an issue where an Android FortiClient fails to connect to an IKEv1 IPsec VPN tunnel after upgrading to FortiClient version 7.4.6 GA.

Scope

Android FortiClient 7.4.6 onwards.

Solution

Issue symptoms:

• When the Android FortiClient was version 7.4.5 or earlier, the IKEv1 IPsec VPN tunnel could connect as expected.

• After Android FortiClient is upgraded to version 7.4.6, the IKEv1 IPsec VPN tunnel stops connecting with the following error message:

could not establish session on the IPsec daemon

Explanation:

• Android FortiClient 7.4.6 started implementing configuration validation on DH groups.

• Android FortiClient 7.4 supports the following DH groups: 1, 2, 5, and 14.

• Starting from Android FortiClient 7.4.6 onwards: FortiClient will stop initiating VPN connection attempts when an unsupported DH group or groups are selected in the FortiClient EMS profile. 

Solution:

1. In FortiClient EMS, by default, IPsec VPN tunnel will have DH group 14 and 15 pre-selected in phase1 setting.

2. Untick the DH group 15 in phase1 settings:

3. Save the configuration.

4. Once the Android FortiClient has synced with FortiClient EMS and has received the latest configuration, IKEv1 IPsec VPN tunnel will be able to connect successfully.