Hello,After upgrading FortiGate to version 7.6.5, we encountered issues with IPsec tunnels. According to the Fortinet technical article, the default Diffie-Hellman group values were changed from 5 to 14, 20, and 21. https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-tunnels-not-connecting-after-upgrade-to-v7-6/ta-p/423320 Current situation:On PC clients, the issue was resolved by changing the configuration and setting matching DH groups (14, 20, 21) on both sides of the connectionTunnels are working correctly after synchronizing the settingsProblem: The FortiClient VPN application on Android does not have the option to select DH groups higher than 14. As a result, mobile users cannot establish VPN connection after the FortiGate upgrade.Questions:Is there a planned update for FortiClient Android application with support for DH groups 20 and 21?What is the recommended temporary workaround - should we roll back the configuration on FortiGate to older DH groups, or is there another option?Is it possible to configure different IPsec policies for mobile and desktop clients?Thank you in advance for your help.

Visitor III

Solved

IPsec VPN connection issue on FortiClient Android after FortiGate upgrade to v7.6.5

Forum|Forum|5 months ago
December 18, 2025
4 replies
3309 views

Hello,

After upgrading FortiGate to version 7.6.5, we encountered issues with IPsec tunnels. According to the Fortinet technical article, the default Diffie-Hellman group values were changed from 5 to 14, 20, and 21.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-tunnels-not-connecting-after-upgrade-to-v7-6/ta-p/423320

Current situation:

On PC clients, the issue was resolved by changing the configuration and setting matching DH groups (14, 20, 21) on both sides of the connection
Tunnels are working correctly after synchronizing the settings

Problem: The FortiClient VPN application on Android does not have the option to select DH groups higher than 14. As a result, mobile users cannot establish VPN connection after the FortiGate upgrade.

Questions:

Is there a planned update for FortiClient Android application with support for DH groups 20 and 21?
What is the recommended temporary workaround - should we roll back the configuration on FortiGate to older DH groups, or is there another option?
Is it possible to configure different IPsec policies for mobile and desktop clients?

Thank you in advance for your help.

Best answer by Jaye17

Hello Team,

This appears to have been already reported and is currently being investigated. The available workaround for now is to downgrade to 7.6.4 and below.

AEK

SuperUser

Hi Oktaw

Which FCT version number are you using on your Android? Is it the free version or the licensed one?

14 is still safe. Just configure your Android to use 14 and it should work since they both share at least one common proposal.

It is also possible to use different IPsec config for Windows and Android. Each connects to its dedicated tunnel.

AEK

HarryTran

Staff

DH14 is supported on 7.6.5, I found some documents for Android, hope they are helpful for you.
1. https://docs.fortinet.com/document/forticlient/7.4.0/android-administration-guide/567000/ike-parameters
2. https://docs.fortinet.com/document/forticlient/6.0.0/android-user-guide/834699/creating-an-ipsec-vpn-connection

OktawiuszAuthor

Visitor III

After detailed IKE debug analysis. DH are correct now.

ACTUAL PROBLEM:
Phase 2 Quick Mode response packets from FortiGate are not reaching Android clients, while PC clients work perfectly with identical FortiGate configuration.

Evidence from IKE debug logs:
- Phase 1: :white_heavy_check_mark: Completes successfully (DH group 14 negotiated correctly)
- XAUTH: :white_heavy_check_mark: Authentication succeeds (including 2FA token)
- Phase 2: :white_heavy_check_mark: FortiGate creates IPsec SA successfully
- Time 22:08:12.552 - added IPsec SA: SPIs=xxxx
- Time 22:08:12.553 - sent IKE msg (quick_r1send): xxxxx:4500->xxxxxx:59893, len=444 bytes
- :cross_mark: Android client never receives Phase 2 response and continuously retransmits:
- Time 22:08:15.620 - retransmission, ignored since still generating response
- Time 22:08:18.649 - retransmission (retry #2)
- Time 22:08:21.663 - retransmission (retry #3)
- Pattern continues indefinitely...

CRITICAL: PC clients work flawlessly with the same FortiGate 7.6.5 configuration, indicating this is specific to FortiClient Android handling of NAT-T packets.

Versions:
- FortiGate: v7.6.5 build 3651 (GA.M)
- FortiClient Android: v7.4.3.0185 :cross_mark: FAILING
- FortiClient PC: :white_heavy_check_mark: Working normally

Troubleshooting attempted:
- Disabled PFS in phase2-interface - NO CHANGE
- Enabled fragmentation on phase1-interface - NO CHANGE
- Android client still fails at exact same point

Questions:
1. Is this a confirmed bug in FortiClient Android 7.4.3 with FortiGate 7.6.5?
2. Which FortiClient Android version is recommended/tested with FG 7.6.5?
3. Is there a workaround without downgrading FortiGate firmware?

The 444-byte Phase 2 packet appears to be dropped/fragmented incorrectly only by Android client. Any guidance would be greatly appreciated!

J

Jaye17Answer

Staff

Hello Team,

This appears to have been already reported and is currently being investigated. The available workaround for now is to downgrade to 7.6.4 and below.