This article describes an issue where a VPN user is unable to connect Dialup IPSEC VPN with the FortiClient version (7.X.) as the dialup client when multiple Diffie-Hellman groups are selected.

The ike phase-1 negotiated with SA proposal chosen, but timeout with 'ike 0:<tunnel>:<xx>: parse error ' error.

The ike debug output is shown below:

ike 0:eeb4c223b2101232/0000000000000000:27: SA proposal chosen, matched gateway Dialup
ike 0:Dialup: created connection: 0xdd48830 3 10.47.2.6->10.47.2.149:1011.
ike 0:Dialup:27: DPD negotiated
ike 0:Dialup:27: XAUTHv6 negotiated
ike 0:Dialup:27: peer supports UNITY
ike 0:Dialup:27: enable FortiClient license check
ike 0:Dialup:27: enable FortiClient endpoint compliance check, use 169.254.2.1
ike 0:Dialup:27: selected NAT-T version: RFC 3947
ike 0:Dialup:27: cookie eeb4c223b2101232/5cedbcca290d1714
ike 0:Dialup:27: ISAKMP SA eeb4c223b2101232/5cedbcca290d1714 key 16:4F86B6E5801A736253390A3DF95E9F81
...
ike 0:Dialup:27: parse error <--
...
ike 0:Dialup:27: negotiation timeout, deleting
ike 0:Dialup: connection expiring due to phase1 down

This is because FortiClient cannot support multiple phase1 Diffie-Hellman (DH) groups for aggressive mode.

Make sure FortiClient uses only one Diffie-Hellman (DH) group with VPN phase 1 aggressive mode configuration.

For example:

FortiGate CLI:

Dialup IPSEC VPN is configured to accept Diffie-Hellman (DH) groups 5 and 14 in phase 1 interface configurations.

config vpn ipsec phase1-interface
    edit "Dialup"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype one
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha256

        set dhgrp 14 5  <--

FortiGate GUI:

FortiClient:

Edit VPN Connection -> Advanced Settings -> Phase 1 -> DH Group -> Select only one DH group 14 or 5 to match.