Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

IPsec IKE v2 Config

Hi Team,


I have IPsec IKE V1 remote access and I need to change it to V2.

After changing it to V2 I didn't connect to the tunnel giving the below warning in logs:

No response from the peer, phase1 retransmit reaches maximum count

Note that we uses Forti authenticator with FortiGate.


My Config:


set type dynamic
set interface "IPSec"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 60
set ipv4-start-ip 
set ipv4-end-ip 
set ipv4-netmask 
set dns-mode auto
set psksecret


What is the problem ?



Hi @alaaelrayes ,

VPN configuration requires "mutual understanding" on both side.
Each site must match to each other.

From my understanding, the changes from V1 to V2 is only happend on this Fortigate.

This error: "No response from the peer, phase1 retransmit reaches maximum count" may indicate the peer is still using V1.

May i know, did you change on the peer side too?



VPN client config on that connection is V2 also as belowV2.JPG



Encryption does not match. FortiClient has aes128-sha1 and aes256-sha1, but FortiGate accepts aes128-sha256 at least.

New Contributor III

The same issue 





Then run ike debug. That will show you why it is failing:

diag debug console time en

diag debug app ike -1

diag debug en


To disable debug:

diag debug disable

diag debug reset

New Contributor III

I added the below to configs:

set eap enable
set eap-identity send-request

And the debug error as the below

2023-05-24 12:05:02.099273 ike 0:ForiVPN-04: connection expiring due to EAP failure
2023-05-24 12:05:02.099280 ike 0:ForiVPN-04: deleting
2023-05-24 12:05:02.099312 ike 0:ForiVPN-04: deleted


and the below error when disabling eap:


2023-05-24 12:21:18.333661 ike 0:ForiVPN-04:5044: peer identifier IPV4_ADDR
2023-05-24 12:21:18.333666 ike 0:ForiVPN-04:5044: re-validate gw ID
2023-05-24 12:21:18.333675 ike 0:ForiVPN-04:5044: gw validation failed
2023-05-24 12:21:18.333682 ike 0:ForiVPN-04:5044: schedule delete of IKE SA a72491f0596e0d2f/5979dd2ebd97470f
2023-05-24 12:21:18.333689 ike 0:ForiVPN-04:5044: scheduled delete of IKE SA a72491f0596e0d2f/5979dd2ebd97470f
2023-05-24 12:21:18.333708 ike 0:ForiVPN-04: connection expiring due to phase1 down
2023-05-24 12:21:18.333714 ike 0:ForiVPN-04: deleting
2023-05-24 12:21:18.333721 ike 0:ForiVPN-04: deleted


This is not much saying. Try to use user-group with local user account, for the start. Try to authenticate with it. If tunnel will be working, then start focusing on authentication part between FortiGate and radius/ldap.

New Contributor III

I made changes to fortiautheticator and fortigate then the connection was established and I received to enter fortitoken but after entering the token it show a VPN connection failed.

The error code from forticlient is :

No response from the peer, phase1 retransmit reaches maximum count

Fortiautheticator log is success:


Authenticator Radius changes:

radius 1.JPGradius 2.JPG

Authenticator Radius debug:

auth 3.png


Hi @alaaelrayes ,

If you have Fortiauthenticator, it may related to another issue. Can you try without 2FA and try it again?

If only 2FA is not working, i would suggest to contact Fortinet support as this need in-depth troubleshooting.
Here the reference:


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors