Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff

Created on ‎06-18-2025 09:26 PM Edited on ‎01-01-2026 11:42 PM By Community Manager

Article Id 396993

Troubleshooting Tip: IPSec VPN down due to 'mismatched DH group in KE payload'

Description This article describes the solution for the error 'mismatched DH group in KE payload' received in IKE debugs.
Scope FortiGate.
Solution

The following error is noticed in the IKE debugs: 'mismatched DH group in KE payload'.

2025-06-10 12:43:14.462965 ike V=root:0:IPSecVPN:56: mismatched DH group in KE payload, selected 14, received 5
2025-06-10 12:43:14.462993 ike V=root:0:IPSecVPN:56: sending INVALID_KE notify
2025-06-10 12:43:14.463024 ike 0:IPSecVPN:56: out E16C2C2451F1195200000000000000002920222000000000000000260000000A00000011000E
2025-06-10 12:43:14.463100 ike V=root:0:IPSecVPN:56: sent IKE msg (INVALID_KE_PAYLOAD): xx.xx.xx.xx:500->yy.yy.yy.yy:1012, len=38, vrf=0, id=e16c2c2451f11952/000000000
0000000, oif=5

This error occurs when a negotiation failure happens for the DH-Group. In the above error, it can be concluded that FortiGate is receiving negotiation for DH-Group=5, but on FortiGate, DH-Group is set to 14.

Solution:

  • Verify if the DH group is the same on both peers.
  • Verify if PFS is enabled on the phase2 selectors, are match on both the peers.


To change the DH-Group on FortiGate via CLI, the following commands can be used:


config vpn ipsec phase1-interface
    edit "tunnel-name"
        set dhgrp <DH number>
end

config vpn ipsec phase2-interface
    edit "tunnel-name"
        set dhgrp <DH number>
end

 

More information on how to check regarding the DH group can be found in this KB article: Technical Tip: How to check if Diffie-Hellman(DH) group is the same on both peer units.

 

Execute the following debug commands to collect IKE logs:


diagnose vpn ike log-filter dst-addr4 xx.xx.xx.xx <----- Public IP of remote-end
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

 

Note:
Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

 

Starting from v7.6.5 and v8.0.0, the default DH groups for Phase1 and Phase2 IPsec VPN tunnels will be updated from 14 and 5 to 14, 20, and 21. So the IPSec VPN tunnel might be down due to the DH group mismatch, after upgrading to v7.6.5. The solution is to change the DH group in the VPN settings, make sure both 2 sides have the identical configurations.


Related articles:

Troubleshooting Tip: The IPsec VPN tunnel not coming up, with debug message 'ignoring IKE request, i...

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
1560
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.