Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KC_Hing
Staff
Staff

Created on ‎06-13-2023 01:50 AM Edited on ‎09-18-2025 08:20 AM By Moderator

Article Id 260028

Technical Tip: Dialup IPsec VPN 'ike 0:<tunnel>:<xx>: parse error ' error

Description

This article describes an issue where a VPN user is unable to connect Dial-up IPsec VPN with the FortiClient version (7.X.) as the dial-up client when multiple Diffie-Hellman groups are selected.

 

The ike phase-1 negotiated with SA proposal chosen, but timeout with 'ike 0:<tunnel>:<xx>: parse error ' error.

 

The ike debug output is shown below:

 

ike 0:eeb4c223b2101232/0000000000000000:27: SA proposal chosen, matched gateway Dialup
ike 0:Dialup: created connection: 0xdd48830 3 10.47.2.6->10.47.2.149:1011.
ike 0:Dialup:27: DPD negotiated
ike 0:Dialup:27: XAUTHv6 negotiated
ike 0:Dialup:27: peer supports UNITY
ike 0:Dialup:27: enable FortiClient license check
ike 0:Dialup:27: enable FortiClient endpoint compliance check, use 169.254.2.1
ike 0:Dialup:27: selected NAT-T version: RFC 3947
ike 0:Dialup:27: cookie eeb4c223b2101232/5cedbcca290d1714
ike 0:Dialup:27: ISAKMP SA eeb4c223b2101232/5cedbcca290d1714 key 16:4F86B6E5801A736253390A3DF95E9F81
...
ike 0:Dialup:27: parse error <--
...
ike 0:Dialup:27: negotiation timeout, deleting
ike 0:Dialup: connection expiring due to phase1 down
Scope FortiGate and FortiClient 7.0 and above.
 

This is because FortiClient cannot support multiple phase1 Diffie-Hellman (DH) groups for aggressive mode.

Make sure FortiClient uses only one Diffie-Hellman (DH) group with VPN phase 1 aggressive mode configuration.

 

For example:

 

FortiGate CLI:

Dialup IPSEC VPN is configured to accept Diffie-Hellman (DH) groups 5 and 14 in phase 1 interface configurations.

 

config vpn ipsec phase1-interface
    edit "Dialup"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype one
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha256

        set dhgrp 14 5  <--

FortiGate GUI:


dhgrp.JPG

 

FortiClient:

Edit VPN Connection -> Advanced Settings -> Phase 1 -> DH Group -> Select only one DH group 14 or 5 to match.

 

dhgrp1.JPG

 

It is strictly recommended to use the same parameters on FortiGate and FortiClient. It does not matter if the SA is negotiated: if some parameters do not match, they may cause parse errors and prevent the negotiation from being established:

 

HarveyRebelo_1-1758132983638.png
3659
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.