First, refer to the following KB article regarding the FIPS 140-2/140-3 transition for FortiOS: Technical Tip: Key considerations when upgrading FIPS FortiGates from FIPS 140-2 (v7.0 and earlier) ....

As part of the new FIPS 140-3 standard, algorithms used for Diffie-Hellman (DH) key exchange have now been limited to a minimum of 2048 bits for Finite Field Cryptography (FFC) and 224 bits for Elliptic Curve Cryptography (ECC). Refer to Appendix D in the following NIST document for more information: NIST SP 800-56A.

For IPsec on the FortiGate, these new restrictions mean that the following DH Groups are no longer allowed when FIPS-CC mode is enabled on FortiGates targeting the FIPS 140-3 standard:

• DH Group 1 (MODP-768).
• DH Group 2 (MODP-1024).
• DH Group 5 (MODP-1536).

Furthermore, after upgrading a FortiGate from an earlier FIPS 140-2 based firmware to the newer FIPS 140-3 based firmware, two main behaviors/issues will be observed:

1. The above DH Groups will be removed from any FortiGate IPsec tunnel configurations that contained them (for example, set dhgrp 14 5 will become set dhgrp 14).
2. And, the iked daemon will repeatedly crash with a Signal 6 (Aborted) message, and the VPN tunnels may not establish correctly.

To confirm if this scenario is occurring, run the command diagnose debug crashlog read and check for the following indicators:

FortiGate # diagnose debug crashlog read

[...]

473: 2026-01-15 14:05:39 <00399> firmware FortiGate-61F v7.2.8,build9543b1639,250502 (FIPS-CC-72-4)
474: 2026-01-15 14:05:39 (Release)
475: 2026-01-15 14:05:39 <00399> application iked
476: 2026-01-15 14:05:39 <00399> *** signal 6 (Aborted) received ***
[...]

Crash log interval is 3600 seconds
iked crashed 292 times. The last crash was at 2026-01-15 14:27:45
Max crash log line number: 16384

Another validation method is to run the following iked debug commands and check for the presence of a repeated message similar to 'ike addspspec:1132: unknown dhgrp 0':

diagnose debug application ike -1

diagnose debug enable

Recommendations for users upgrading from earlier FIPS Certified/CVE-Patched FortiOS versions:

Before executing the upgrade, review the existing IPsec VPN configuration to see if DH Groups 1, 2, or 5 are currently in-use and modify the dhgrp setting to only utilize DH Groups that meet the FIPS 140-3 requirement. For reference, Groups 14 through 21 and 27 through 32 are allowed to be used with FIPS 140-3.

A quick way to check the existing DH Group settings from the CLI is the command show vpn ipsec phase1-interface | grep -f dhgrp, which will show each VPN tunnel and highlight the DH Group currently set in the Phase1 settings.

If the upgrade has already been executed and the iked Signal 6 crashes are occurring, then one of the following options can be implemented to resolve the issue:

Option 1: Change to a different dhgrp setting OR manually re-apply the setting.

As an example, consider the case where the VPN tunnel has set dhgrp 14 5 applied before the firmware upgrade. After the upgrade, the setting will visually show set dhgrp 14, but the iked crashing is occurring because the system has an incorrect count for the number of configured DH Groups set.

To resolve this, either change away to a different DH Group (such as DH Group 20) or change away and then change back to the original DH Group:

FortiGate # config vpn ipsec phase1-interface

FortiGate (phase1-inteface) # edit Example_VPN

FortiGate (Example_VPN) # show | grep dhgrp

set dhgrp 14 <--- dhgrp was originally 14 5 before upgrade, now visually shows 14.

FortiGate (Example_VPN) # set dhgrp 20 <--- Can stop here if the remote VPN peer is also using DH Group 20.

FortiGate (Example_VPN) # next

FortiGate (phase1-interface) # edit Example_VPN

FortiGate (Example_VPN) # show | grep dhgrp

set dhgrp 20

FortiGate (Example_VPN) # set dhgrp 14 <--- Changing back to DH Group 14

FortiGate (Example_VPN) # end

FortiGate # 

Note: Simply re-applying the same DH Groups (i.e., set dhgrp 14) is not sufficient to resolve the issue. The DH Groups must actually change for the fix to apply.

Option 2: Rebooting the FortiGate.

This iked crashing issue only occurs immediately after a firmware upgrade is performed. If the FortiGate is rebooted again, then the configuration is freshly reloaded with the correand the crashes will no longer occur

Related articles:

Technical Tip: FortiOS FIPS Resource List

Technical Tip: Key considerations when upgrading FIPS FortiGates from FIPS 140-2 (v7.0 and earlier) ...