On FortiClient, the following error message is observed in the exported logs and on the notification bar: 'FortiClient Logs: utmaction=passthrough utmevent=vpn threat=disconnects Notification Windows Bar: Timeout while connecting to X.X.X.X'.

On the FortiGate, debug settings vary depending on the firmware version.

•  For the FortiGate v7.4.8_build2795, IKE debugs are as follows:

diagnose debug disable

diagnose debug reset

diagnose debug app ike -1

diagnose debug console timestamp enable

diagnose debug enable

ike 1:13624: SA proposal chosen, matched gateway Dialup01
ike 1:Dialup01:Dialup01: created connection: 10.9.1.65->72.2.8.9:1011.
ike 1:Dialup01: HA start as master
ike 1:Dialup01:13624: DPD negotiated
ike 1:Dialup01:13624: XAUTHv6 negotiated
ike 1:Dialup01:13624: peer supports UNITY
ike 1:Dialup01:13624: enable FortiClient license check
ike 1:Dialup01:13624: FEC vendor ID received FEC but IP not set
ike 1:Dialup01:13624: selected NAT-T version: RFC 3947
ike 1:Dialup01:13624: failed to compute DH shared secret
ike 1:Dialup01: connection expiring due to phase1 down
ike 1:Dialup01: going to be deleted

diagnose debug disable<----- Use this command to stop the debug.

Root Cause: The order in which DH group was selected on the FortiGate caused this error. 

config vpn ipsec phase1-interface
    edit "Dialup01"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype one
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgrp 20 14 <----- 20 groups are in order first than 14..

On the FortiClient side, 14 is first in order.

Solution:

Option 1: edit the VPN using CLI on the FortiGate and change the order:

config vpn ipsec phase1-interface
    edit "Dialup01"
    set dhgrp 14 20
end

Option 2: Choose only one DH GROUP on the FortiClient side: