Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nevan
Staff
Staff

Created on ‎04-01-2025 12:42 AM Edited on ‎08-08-2025 02:36 AM

Article Id 382551

Technical Tip: Generate DH public value request pending and compute DH shared secret request pending in Dial UP IPSec with FortiClient

Description This article describes the scenario when IPSec dial-up VPN is configured but with FortiClient users are unable to connect or experience an infinite login loop until receive the connection timeout. 
Scope FortiGate, FortiClient, WinOS.
Solution

While troubleshooting the IPSec dial-up VPN with the FortiClient VPN client, the IKE debug may show the following debug report.


ike V=root:0:bbffa60b000c3597/0000000000000000:43: SA proposal chosen, matched gateway vpn-gateway
ike V=root:0:vpn-gateway:vpn-gateway: created connection: 0xb978bd0 3 84.120.42.62->146.135.219.97:500.
ike V=root:0:vpn-gateway:43: DPD negotiated
ike V=root:0:vpn-gateway:43: XAUTHv6 negotiated
ike V=root:0:vpn-gateway:43: peer supports UNITY
ike V=root:0:vpn-gateway:43: enable FortiClient license check
ike V=root:0:vpn-gateway:43: FEC vendor ID received FEC but IP not set
ike V=root:0:vpn-gateway:43: selected NAT-T version: RFC 3947
ike V=root:0:vpn-gateway:43: generate DH public value request pending
ike V=root:0:vpn-gateway:43: compute DH shared secret request pending
ike V=root:0:vpn-gateway:43: cookie bbffa60b000c3597/36b9e0fa4d95e309

 

Generate DH public value request pending message indicates that the FortiGate is in the process of generating its Diffie-Hellman (DH) public key as part of the key exchange process. The DH algorithm is used to establish a shared encryption key between the two communicating devices. This step involves selecting a random private key and computing the corresponding public key, which will later be exchanged with the peer.

 

Compute DH shared secret request pending means FortiGate is preparing to compute the shared secret key using its private key and the received public key from the remote peer. This shared secret is critical in deriving session keys used for encrypting and securing the VPN traffic.

 

The issue may appear for the following reasons the mismatch in Diffie-Hellman groups between the FortiGate and the remote device, a network issue preventing key exchange messages from being transmitted properly, or the resource constraint (for example, high CPU usage) delaying the DH computation.


To prevent this needed to be checked:

  • Both VPN endpoints are using the same DH group.
  • UDP ports 500 (IKE) and 4500 (NAT-T) are not blocked by a firewall.
  • Need to check the CPU utilization.
  • Tunnel Name has any special characters.
  • Local ID is not set on FortiGate (Dial-up).

 

In case the mentioned issues are not triggering but with the correct port, without network issues, and with normal CPU usage still the VPN client is getting connection time out and the debug message is showing the Generate DH public value request pending and Compute DH shared secret request pending it is requested to report to the Fortinet Technical Support team to reveal more scopes about the issue.

 

Ensure that there is only one DH group in common in phase1 as well as phase2 of the FortiGate and the FortiClient for IPSec dial-up configuration in aggressive mode. (Even if both the FortiGate and FortiClient have multiple DH groups enabled).

 


Related articles:

Troubleshooting Tip: Dial-up IPsec VPN in aggressive mode when more than one DH Group is selected
Technical Tip: Incoming proposal ID remains the same in FortiGate IPSec VPN IKE debug
Technical Tip: How to check the assigned IP address for the IPSec dial up client
Labels:
913
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.