Description

This article describes that when FortiClient is configured to connect aggressive mode, IPsec with multiple matching Diffie-Hellman (DH) groups selected, the following error seen is on the FortiClient and FortiGate logs even though the configuration matches on both ends.

Scope

FortiClient v7.2, v7.4 and v7.6.

Solution

On FortiClient, the following error message is observed in the exported logs,

msg="No response from the peer, phase1 retransmit reaches maximum count"

The below message may also appear on FortiClient:

On the FortiGate, debugs vary depending on the firmware.

•  For the FortiGate v7.2.x, IKE degus are as follows:

2024-09-03 05:14:29.602513 ike 0:ae258a933eed2138/0000000000000000:65: SA proposal chosen, matched gateway FCT_Ipsec

2024-09-03 05:14:29.602580 ike 0:FCT_Ipsec: created connection: 0x7ca2e20 7 192.168.1.75->192.168.1.74:500.

2024-09-03 05:14:29.602612 ike 0:FCT_Ipsec:65: DPD negotiated

2024-09-03 05:14:29.602631 ike 0:FCT_Ipsec:65: XAUTHv6 negotiated

2024-09-03 05:14:29.602661 ike 0:FCT_Ipsec:65: peer supports UNITY

2024-09-03 05:14:29.602678 ike 0:FCT_Ipsec:65: enable FortiClient license check

2024-09-03 05:14:29.602697 ike 0:FCT_Ipsec:65: enable FortiClient endpoint compliance check, use 169.254.1.1

2024-09-03 05:14:29.602715 ike 0:FCT_Ipsec:65: selected NAT-T version: RFC 3947

2024-09-03 05:14:29.602755 ike 0:FCT_Ipsec:65: generate DH public value request queued

2024-09-03 05:14:29.602792 ike 0:FCT_Ipsec:65: failed to compute DH shared secret

2024-09-03 05:14:29.602863 ike 0:FCT_Ipsec: connection expiring due to phase1 down

2024-09-03 05:14:29.602883 ike 0:FCT_Ipsec: deleting

2024-09-03 05:14:29.602905 ike 0:FCT_Ipsec: deleted

• For FortiGate v7.4.x and v7.6.x, the IKE debug outputs are as follows, and the ‘compute DH shared secret request’ is repeatedly seen in the debug logs.

ike V=root:0:bc230472d864dae5/0000000000000000:306: SA proposal chosen, matched gateway Test_Ipsec

ike V=root:0:Test_Ipsec: created connection: 0x9fd7a80 7 192.168.1.77->192.168.1.75:1012.

ike V=root:0:Test_Ipsec:306: DPD negotiated

ike V=root:0:Test_Ipsec:306: XAUTHv6 negotiated

ike V=root:0:Test_Ipsec:306: peer supports UNITY

ike V=root:0:Test_Ipsec:306: enable FortiClient license check

ike V=root:0:Test_Ipsec:306: enable FortiClient endpoint compliance check, use 169.254.1.1

ike V=root:0:Test_Ipsec:306: selected NAT-T version: RFC 3947

ike V=root:0:Test_Ipsec:306: generate DH public value request queued

ike V=root:0:Test_Ipsec:306: compute DH shared secret request  queued

ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued

ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued

ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued

****** Thousands of identical lines have been omitted ******

ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued

ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued

ike V=root:0:Test_Ipsec:306: negotiation timeout, deleting

ike V=root:0:Test_Ipsec: connection expiring due to phase1 down

ike V=root:0:Test_Ipsec: going to be deleted

Ensure that there is only one DH group in common in phase1 as well as phase2 of the FortiGate and the FortiClient for IPSec dial-up configuration in aggressive mode. (Even if both, the FortiGate and FortiClient, have multiple DH groups enabled).

For example, this can be done by selecting only one DH group on the FortiGate or the FortiClient. If DH groups 14 and 5 are selected on the FortiGate, then use only either 14 or only 5 on FortiClient.