When the IPsec Dial Up Tunnel is configured from the IPsec Wizard Template, edit the IPsec Tunnel Configuration and select 'convert to custom tunnel' to view the phase 1 and phase 2 selectors of the Dialup Tunnel.

By default, in FortiGate, the Diffie-Hellman Groups are 14 and 5 in both phase 1 and phase 2 selectors of the Tunnel settings.

As there is a mismatch between the DH groups in FortiClient and the FortiGate, the user cannot connect to the IPsec Dial Up VPN, and a timeout error is received.

Packet capture with the user's public IP can be used to verify the SA proposal sent by the FortiClient.

If it does not match with any SA proposal configured on FortiGate, it will show a timeout error.

There could be other reasons for the timeout error as well; this can be verified with an IKE debug. In case of no proposals accepted, the following error can be seen in the IKE debug:

2025-06-12 10:51:23.687782 ike 0:Test-Office:29: sent IKE msg (P1_RETRANSMIT): 172.16.207.2:500->172.18.82.167:500, len=572, vrf=0, id=3e0fbb0e7d5ec20e/0000000000000000
2025-06-12 10:51:25.677582 ike shrank heap by 163840 bytes
2025-06-12 10:51:32.657576 ike 0:Test-Office:29: negotiation timeout, deleting ---------------->timeout after 3 retransmissions.

To connect successfully, either choose 5 or 14 as the DH Group in the phase 1 and phase 2 selectors of the tunnel in the FortiClient or select DH Group 20 in the Phase 1 and Phase 2 selectors of the tunnel on the FortiGate.  

Once the DH groups match in both FortiGate and FortiClient Tunnel settings, the user can connect to the VPN successfully.

If the issue persists, IKE debug can be collected to investigate the issue: Troubleshooting Tip: IPsec VPN tunnels