The following error is noticed in the IKE debugs: 'mismatched DH group in KE payload'.

2025-06-10 12:43:14.462965 ike V=root:0:IPSecVPN:56: mismatched DH group in KE payload, selected 14, received 5
2025-06-10 12:43:14.462993 ike V=root:0:IPSecVPN:56: sending INVALID_KE notify
2025-06-10 12:43:14.463024 ike 0:IPSecVPN:56: out E16C2C2451F1195200000000000000002920222000000000000000260000000A00000011000E
2025-06-10 12:43:14.463100 ike V=root:0:IPSecVPN:56: sent IKE msg (INVALID_KE_PAYLOAD): xx.xx.xx.xx:500->yy.yy.yy.yy:1012, len=38, vrf=0, id=e16c2c2451f11952/000000000
0000000, oif=5

This error occurs when a negotiation failure happens for the DH-Group. In the above error, it can be concluded that FortiGate is receiving negotiation for DH-Group=5, but on FortiGate, DH-Group is set to 14.

Solution:

• Verify if the DH group is the same on both peers.
• Verify if PFS is enabled on the phase2 selectors, are match on both the peers.

To change the DH-Group on FortiGate via CLI, the following commands can be used:

config vpn ipsec phase1-interface
    edit "tunnel-name"
        set dhgrp <DH number>
    end

config vpn ipsec phase2-interface
    edit "tunnel-name"
        set dhgrp <DH number>
    end

More information on how to check regarding DH group can be found in this KB article: Technical Tip: How to check if Diffie-Hellman(DH) group is the same on both peer units

Execute following debug commands to collect IKE logs:

diagnose vpn ike log-filter dst-addr4 xx.xx.xx.xx <----- Public IP of remote-end
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

Note:
Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

Related articles:

Troubleshooting Tip: The IPsec VPN tunnel not coming up, with debug message 'ignoring IKE request, i...

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity