|
Description |
This article describes that when FortiClient is configured to connect aggressive mode, IPsec with multiple matching Diffie-Hellman (DH) groups selected, the following error seen is on the FortiClient and FortiGate logs even though the configuration matches on both ends. |
|
Scope |
FortiClient v7.2, v7.4 and v7.6. |
|
Solution |
On FortiClient, the following error message is observed in the exported logs,
msg="No response from the peer, phase1 retransmit reaches maximum count"
The below message may also appear on FortiClient:
On the FortiGate, debug settings vary depending on the firmware version.
diagnose debug disable diagnose debug reset diagnose debug app ike -1 diagnose debug console timestamp enable diagnose debug enable
2024-09-03 05:14:29.602513 ike 0:ae258a933eed2138/0000000000000000:65: SA proposal chosen, matched gateway FCT_Ipsec 2024-09-03 05:14:29.602580 ike 0:FCT_Ipsec: created connection: 0x7ca2e20 7 192.168.1.75->192.168.1.74:500. 2024-09-03 05:14:29.602612 ike 0:FCT_Ipsec:65: DPD negotiated 2024-09-03 05:14:29.602631 ike 0:FCT_Ipsec:65: XAUTHv6 negotiated 2024-09-03 05:14:29.602661 ike 0:FCT_Ipsec:65: peer supports UNITY 2024-09-03 05:14:29.602678 ike 0:FCT_Ipsec:65: enable FortiClient license check 2024-09-03 05:14:29.602697 ike 0:FCT_Ipsec:65: enable FortiClient endpoint compliance check, use 169.254.1.1 2024-09-03 05:14:29.602715 ike 0:FCT_Ipsec:65: selected NAT-T version: RFC 3947 2024-09-03 05:14:29.602755 ike 0:FCT_Ipsec:65: generate DH public value request queued 2024-09-03 05:14:29.602792 ike 0:FCT_Ipsec:65: failed to compute DH shared secret 2024-09-03 05:14:29.602863 ike 0:FCT_Ipsec: connection expiring due to phase1 down 2024-09-03 05:14:29.602883 ike 0:FCT_Ipsec: deleting 2024-09-03 05:14:29.602905 ike 0:FCT_Ipsec: deleted
ike V=root:0:bc230472d864dae5/0000000000000000:306: SA proposal chosen, matched gateway Test_Ipsec ike V=root:0:Test_Ipsec: created connection: 0x9fd7a80 7 192.168.1.77->192.168.1.75:1012. ike V=root:0:Test_Ipsec:306: DPD negotiated ike V=root:0:Test_Ipsec:306: XAUTHv6 negotiated ike V=root:0:Test_Ipsec:306: peer supports UNITY ike V=root:0:Test_Ipsec:306: enable FortiClient license check ike V=root:0:Test_Ipsec:306: enable FortiClient endpoint compliance check, use 169.254.1.1 ike V=root:0:Test_Ipsec:306: selected NAT-T version: RFC 3947 ike V=root:0:Test_Ipsec:306: generate DH public value request queued ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued
****** Thousands of identical lines have been omitted ******
ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued ike V=root:0:Test_Ipsec:306: negotiation timeout, deleting ike V=root:0:Test_Ipsec: connection expiring due to phase1 down ike V=root:0:Test_Ipsec: going to be deleted
diagnose debug disable <----- Use this command to stop the debug.
Ensure that there is only one DH group in common in phase1 as well as phase2 of the FortiGate and the FortiClient for IPSec dial-up configuration in aggressive mode. (Even if both the FortiGate and FortiClient have multiple DH groups enabled). Additionally, reset the pre-shared key on both the FortiGate and FortiClient ends.
For example, this can be done by selecting only one DH group on the FortiGate or the FortiClient. If DH groups 14 and 5 are selected on the FortiGate, then use only either 14 or only 5 on FortiClient.
To make the changes in FortiClient, navigate to IPsec VPN -> Advanced settings -> Phase 1 -> Select 14/5:
In Phase 2, select DH 5:
Related article: |
