Troubleshooting Tip: Dial-up IPsec VPN in aggressive mode error 'failed to compute DH shared secret'
| Description | This article describes that when FortiClient is configured to connect in aggressive mode, IPsec with multiple matching Diffie-Hellman (DH) groups selected, the following error is seen on the FortiClient and FortiGate logs, even though the configuration matches on both ends. |
| Scope | FortiClient v7.2, v7.4 and v7.6. |
| Solution | On FortiClient, the following error message is observed in the exported logs and on the notification bar: 'FortiClient Logs: utmaction=passthrough utmevent=vpn threat=disconnects Notification Windows Bar: Timeout while connecting to X.X.X.X'.
On the FortiGate, debug settings vary depending on the firmware version.
diagnose debug disable diagnose debug reset diagnose debug app ike -1 diagnose debug console timestamp enable diagnose debug enable
ike 1:13624: SA proposal chosen, matched gateway Dialup01
Note: In some cases, the observed log is 'compute DH shared secret request queued'; the same workaround can be used.
diagnose debug disable <----- Use this command to stop the debugging. Root Cause: The order in which DH group was selected on the FortiGate caused this error.
config vpn ipsec phase1-interface
On the FortiClient side, 14 is first in order.
Solution: Option 1: edit the VPN using CLI on the FortiGate and change the order:
Option 2: Choose only one DH GROUP on the FortiClient side: |
