There are issues with FortiClient Mac 5.4.0 and OSX El Capitan. You need to use 5.2.6 Mac FortiClient or wait for the fix in FortiClient 5.4.1 - (to be released)

Thank you Ken and Eric for your responses.

@Eric: Can you please give me a link to 5.2.6 Mac FortiClient? I searched in vain on the Fortinet website and via Google.

@Ken: Thanks for offering your help. Yes, I'm using the latest FortiClient 5.4.0.493. After talking to my customer who owns the network I want to connect to, I can't give you access to it. Would you be so kind as to tell me how you would have debugged the failing connection?

Thanks again for your help.

login to support.fortinet.com and click on download firmware images select forticlient and than Mac

Sure would be nice if they would simply expose these settings in the Mac Client GUI under Advanced like they do in Windows.  I'm using FC 5.4.0.493 (full install) on MacOS 10.11.2 with no problems connecting to IPsec FG runing 5.4.  I'm going to update MacOS to 10.11.3 to see if that breaks it as I'm testing.

Okay I updated to 10.11.3 and I'm using FC 5.4.0.493.  Still seems to be working after the upgrade.  No crashing, no problems.  My FG is 5.4 (500D) which I'm testing (we have another in production).  I have "high" crypto settings enabled on the FG.  My IPsec settings are as follows:

Here are my VPN settings with key [REMOVED] of course.  Be careful if you try and import there are some settings here that should be firewall unique.  Better yet to compare to your settings and change individual settings as needed.

config system interface     edit "FC_IPSec"         set vdom "root"         set type tunnel         set snmp-index 23         set interface "port9"     next end config firewall address     edit "FC_IPSec_range"         set uuid 8c8704ec-e664-51e5-6dcf-10e67dd8aa66 (Note: I think these are created per firewall so might want to comment these out.)         set type iprange         set comment "VPN: FC_IPSec (Created by VPN wizard)"         set start-ip 10.254.1.10         set end-ip 10.254.1.253     next end config vpn ipsec phase1-interface     edit "FC_IPSec"         set type dynamic         set interface "port9"         set mode aggressive         set mode-cfg enable         set proposal aes256-sha256 aes128-sha1         set comments "VPN: FC_IPSec (Created by VPN wizard)"         set xauthtype auto         set authusrgrp "L2TP_Group"         set ipv4-start-ip 10.254.1.10         set ipv4-end-ip 10.254.1.253         set ipv4-netmask 255.255.255.0         set dns-mode auto         set save-password enable         set psksecret ENC {REMOVED]     next end config vpn ipsec phase2-interface     edit "FC_IPSec"         set phase1name "FC_IPSec"         set comments "VPN: FC_IPSec (Created by VPN wizard)"     next end config firewall policy     edit 52         set name "IPsec_Inbound"         set uuid 97530bdc-e669-51e5-e7db-04257772071b         set srcintf "FC_IPSec"         set dstintf "port11"         set srcaddr "FC_IPSec_range"         set dstaddr "TR-IN-LAN_Servers"  (Note: This is just an address range of some LAN hosts)         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set comments "VPN: FC_IPSec (Created by VPN wizard)"         set av-profile "default"         set dlp-sensor "DLP-Browsing File Block"         set ips-sensor "protect_client"         set profile-protocol-options "default"         set ssl-ssh-profile "deep-inspection"         set nat enable     next     edit 54         set name "IPsec_Browsing"         set uuid cf388274-e70a-51e5-d8b7-4d06b8aaf4b2         set srcintf "FC_IPSec"         set dstintf "port9"         set srcaddr "FC_IPSec_range"         set dstaddr "all"         set action accept         set schedule "always"         set service "Outbound_Allowed" (Note: This is a restricted group of services that we use for outbound traffic)         set utm-status enable         set av-profile "default"         set webfilter-profile "default"         set dnsfilter-profile "default"         set dlp-sensor "DLP-Browsing File Block"         set ips-sensor "protect_client"         set application-list "default"         set profile-protocol-options "default"         set ssl-ssh-profile "deep-inspection"         set nat enable     next end

Now here is my FortiClient from MacOS config (I removed all keys and pws.  Look for [REMOVED] to replace with your own data or zero out.  I originally configured settings on Windows FC and then imported into Mac Client.  Even looking at this now, I don't like how I have the DH Key Groups and Proposals setup.  Too many week KE and Ciphers, but it is working.  I think the solution is configure your FG IPSec settings to be as strict as you need when it comes to ciphers (client should try to match any you specify, notice how I removed some of the weaker ones), but your Diffie-Hellman group needs to match in this config and on your FG to work:

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <forticlient_configuration>     <forticlient_version>5.4.0.0493</forticlient_version>     <version>5.4</version>     <date>2016-3-10</date>     <os_version>MacOSX</os_version>     <partial_configuration>0</partial_configuration>     <system>         <log_settings>             <level>4</level>             <max_log_size>10000000</max_log_size>             <log_events>ipsecvpn,sslvpn,webfilter,update,av,firewall</log_events>             <remote_logging>                 <log_protocol>faz</log_protocol>                 <log_upload_enabled>0</log_upload_enabled>                 <log_upload_server></log_upload_server>                 <netlog_server></netlog_server>                 <log_upload_freq_hours>0</log_upload_freq_hours>                 <log_upload_freq_minutes>1</log_upload_freq_minutes>                 <log_upload_ssl_enabled>0</log_upload_ssl_enabled>                 <netlog_categories>7</netlog_categories>                 <log_retention_days>90</log_retention_days>             </remote_logging>         </log_settings>         <proxy>             <address></address>             <port></port>             <password></password>             <update></update>         </proxy>         <update>             <use_custom_server>0</use_custom_server>             <server></server>             <port></port>             <failoverport></failoverport>             <fail_over_to_fdn>1</fail_over_to_fdn>             <update_action>notify_only</update_action>             <scheduled_update>                 <enabled>1</enabled>                 <type>interval</type>                 <update_interval_in_hours>1</update_interval_in_hours>             </scheduled_update>         </update>         <ui>             <password>Enc [REMOVED]</password>             <default_tab>AV</default_tab>             <culture_code></culture_code>             <ads>0</ads>             <replacement_messages>                 <quarantine>                     <title><![CDATA[]]></title>                     <statement><![CDATA[]]></statement>                     <remediation><![CDATA[]]></remediation>                 </quarantine>             </replacement_messages>         </ui>         <certificates></certificates>     </system>     <vpn>         <options>             <autoconnect_tunnel></autoconnect_tunnel>             <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>             <keep_running_max_tries>0</keep_running_max_tries>             <allow_personal_vpns>1</allow_personal_vpns>             <disable_connect_disconnect>0</disable_connect_disconnect>         </options>         <ipsecvpn>             <options>                 <enabled>1</enabled>                 <block_ipv6>1</block_ipv6>             </options>             <connections>                 <connection>                     <name>1Gbps IPSec</name>                     <type>manual</type>                     <ike_settings>                         <prompt_certificate>0</prompt_certificate>                         <description></description>                         <server>[REMOVED]</server>                         <authentication_method>Preshared Key</authentication_method>                         <auth_key>Enc [REMOVED]</auth_key>                         <mode>aggressive</mode>                         <dhgroup>5</dhgroup>                         <key_life>86400</key_life>                         <localid></localid>                         <nat_traversal>1</nat_traversal>                         <mode_config>1</mode_config>                         <enable_local_lan>0</enable_local_lan>                         <dpd>1</dpd>                         <xauth>                             <enabled>1</enabled>                             <prompt_username>0</prompt_username>                             <username>Enc [REMOVED]</username>                             <password>Enc [REMOVED]</password>                         </xauth>                         <proposals>                             <proposal>aes128|sha1</proposal>                             <proposal>aes256|sha256</proposal>                             <proposal>3des|sha256</proposal>                             <proposal>aes128|sha1</proposal>                             <proposal>aes256|sha1</proposal>                             <proposal>3des|sha1</proposal>                         </proposals>                         <fgt>0</fgt>                     </ike_settings>                     <ipsec_settings>                         <remote_networks></remote_networks>                         <dhgroup>5</dhgroup> (Note: Better if this is at least 14, I need to change)                         <key_life_type>seconds</key_life_type>                         <key_life_seconds>43200</key_life_seconds>                         <pfs>1</pfs>                         <use_vip>1</use_vip>                         <virtualip>                             <type>modeconfig</type>                             <ip></ip>                             <mask></mask>                             <dnsserver></dnsserver>                         </virtualip>                         <proposals></proposals>                     </ipsec_settings>                     <on_connect>                         <script>                             <os>mac</os>                             <script></script>                         </script>                     </on_connect>                     <on_disconnect>                         <script>                             <os>mac</os>                             <script></script>                         </script>                     </on_disconnect>                     <keep_running>0</keep_running>                     <ui>                         <show_passcode>0</show_passcode>                         <show_remember_password>1</show_remember_password>                         <show_alwaysup>0</show_alwaysup>                         <show_autoconnect>0</show_autoconnect>                     </ui>                 </connection>             </connections>         </ipsecvpn>         <sslvpn>             <options>                 <enabled>1</enabled>             </options>             <connections>             </connections>         </sslvpn>     </vpn>     <endpoint_control>         <enable_enforcement></enable_enforcement>         <enabled>1</enabled>         <system_data>Enc [REMOVED]</system_data>         <checksum></checksum>         <custom_ping_server>:0</custom_ping_server>         <log_last_upload_date></log_last_upload_date>         <conf_recv_time>0</conf_recv_time>         <fgt_logoff_on_fct_shutdown>0</fgt_logoff_on_fct_shutdown>         <fortigates></fortigates>         <ui>             <display_antivirus>1</display_antivirus>             <display_webfilter>1</display_webfilter>             <display_firewall>0</display_firewall>             <display_vpn>1</display_vpn>             <display_vulnerability_scan>0</display_vulnerability_scan>             <registration_dialog>                 <show_profile_details>1</show_profile_details>             </registration_dialog>         </ui>         <silent_registration>0</silent_registration>         <disable_unregister>0</disable_unregister>         <alerts>             <notify_server>1</notify_server>             <alert_threshold>1</alert_threshold>         </alerts>         <onnet_addresses></onnet_addresses>         <onnet_mac_addresses></onnet_mac_addresses>         <notification_server>             <address>:0</address>             <registration_password>Enc [REMOVED]</registration_password>         </notification_server>     </endpoint_control>     <webfilter>         [SECTION REMOVED]     </webfilter>     <firewall>         [SECTION REMOVED]     </firewall>     <vulnerability_scan>         <enabled>0</enabled>         <scan_on_fgt_registration>0</scan_on_fgt_registration>         <scheduled_scans>             <schedule>                 <repeat></repeat>                 <type></type>                 <day></day>                 <time></time>             </schedule>         </scheduled_scans>     </vulnerability_scan>     <antivirus>         <enabled>1</enabled>         <scan_on_insertion>1</scan_on_insertion>         <scheduled_scans>             <full>                 <enabled>1</enabled>                 <repeat>1</repeat>                 <days>2</days>                 <day_of_month></day_of_month>                 <time>18:30</time>                 <removable_media>1</removable_media>             </full>         </scheduled_scans>         <on_demand_scanning>             <on_virus_found>0</on_virus_found>             <compressed_files>                 <scan>1</scan>                 <maxsize>0</maxsize>             </compressed_files>             <riskware>                 <enabled>0</enabled>             </riskware>             <adware>                 <enabled>0</enabled>             </adware>             <heuristic_scanning>0</heuristic_scanning>             <exclusions></exclusions>         </on_demand_scanning>         <real_time_protection>             <enabled>1</enabled>             <when>0</when>             <on_virus_found>0</on_virus_found>             <popup_alerts>1</popup_alerts>             <compressed_files>                 <scan>1</scan>                 <maxsize>2</maxsize>             </compressed_files>             <riskware>                 <enabled>0</enabled>             </riskware>             <adware>                 <enabled>0</enabled>             </adware>             <heuristic_scanning>                 <enabled>0</enabled>                 <action>0</action>             </heuristic_scanning>             <exclusions></exclusions>         </real_time_protection>         <quarantine>             <cullage>100</cullage>         </quarantine>     </antivirus>     <fssoma>         <enabled>0</enabled>         <serveraddress>:8001</serveraddress>         <presharedkey>Enc [REMOVED]</presharedkey>     </fssoma> </forticlient_configuration>