Troubleshooting Tip: IPsec phase2 not coming up with 'did not expect PFS DH group' error in IKE debugs

hbac · ‎05-12-2025

Description

This article describes an issue where an IPsec tunnel phase2 will not come up due to a Phase 2 Perfect Forward Secrecy PFS settings mismatch. This issue can happen to both remote access and site-to-site tunnels.

Scope

FortiGate.

Solution

An IKE debug shows the following messages:

2025-03-12 13:04:04.084852 ike 0::64181:12:374663: incoming proposal:
2025-03-12 13:04:04.084897 ike 0::64181:12:374663: proposal id = 1:
2025-03-12 13:04:04.084937 ike 0::64181:12:374663: protocol id = IPSEC:
2025-03-12 13:04:04.084975 ike 0::64181:12:374663: PFS DH group = 2
2025-03-12 13:04:04.085016 ike 0::64181:12:374663: trans_id = ESP_AES_CBC (key_len = 256)
2025-03-12 13:04:04.085055 ike 0::64181:12:374663: encapsulation = ENCAPSULATION_MODE_TUNNEL
2025-03-12 13:04:04.085095 ike 0::64181:12:374663: type = AUTH_ALG, val=SHA2_256
2025-03-12 13:04:04.085139 ike 0::64181:12:374663: did not expect PFS DH group, received DH group 2
2025-03-12 13:04:04.085188 ike 0::64181:12:374663: negotiation failure

In this example, the issue is caused by settings mismatch in Phase 2 Proposal between FortiGate and FortiClient. FortiGate has Perfect Forward Secrecy (PFS) disabled while FortiClient has it enabled.

PFS client.PNG

To resolve the issue, either disable Perfect Forward Secrecy (PFS) on the FortiClient or enable it on the FortiGate so that it matches on both sides.

After that, the client will be able to connect.

Troubleshooting Tip: IPsec phase2 not coming up with 'did not expect PFS DH group' error in IKE debugs

You are leaving our website