Consider an example where there are two IKEv2 dial-up IPsec VPN tunnels configured on FortiGate as follows:

config vpn ipsec phase1-interface
    edit "Tunnel1"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set authmethod signature
        set net-device enable
        set mode-cfg enable
        set proposal aes256gcm-prfsha384
        set dpd on-idle
        set dhgrp 20
        set certificate "FGT-Cert"
        set peer "Tunnel1-peer"
        set ipv4-start-ip 10.10.1.5
        set ipv4-end-ip 10.10.1.10
    next
    edit "Tunnel2"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set authmethod signature
        set net-device enable
        set mode-cfg enable
        set proposal aes256gcm-prfsha384
        set dpd on-idle
        set dhgrp 20
        set certificate "FGT-Cert"
        set peer "Tunnel2-peer"
        set ipv4-start-ip 11.11.1.5
        set ipv4-end-ip 11.11.1.10
    next
end

When a user wants to connect to 'Tunnel1' dial-up IPsec VPN, the following is observed on running IKE/fnbamd debugs on FortiGate.

diagnose debug app ike -1
diagnose debug app fnbabmd -1
diagnose debug enable

ike V=root:8:4336dd048abb8be1/0000000000000000:19370: matched proposal id 1
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: proposal id = 1:
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: protocol = IKEv2:
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: encapsulation = IKEv2/none
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: type=ENCR, val=AES_GCM_16 (key_len = 256)
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: type=INTEGR, val=NONE
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: type=PRF, val=PRF_HMAC_SHA2_384
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: type=DH_GROUP, val=ECP384.
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: lifetime=28800
ike V=root:8:4336dd048abb8be1/0000000000000000:19370: SA proposal chosen, matched gateway Tunnel2

ike V=root:8:MSRGW-PROD:19370: building fnbam peer candidate list
ike V=root:8:MSRGW-PROD:19370: FNBAM_GROUP_NAME candidate 'Tunnel2-peer'

[705] fnbamd_cert_check_group_list-checking group with name 'Tunnel2-peer'
[518] __check_add_peer-check 'Tunnel2-peer'
[488] __quick_check_peer-CA does not match.
[525] __check_add_peer-'Tunnel2-peer' check ret:bad

[884] fnbamd_cert_check_matched_groups-checking group with name 'Tunnel2-peer'
[954] fnbamd_cert_check_matched_groups-not matched

ike V=root:8:MSRGW-PROD:19370: fnbam cert group matching failed
ike V=root:8:MSRGW-PROD:19370: certificate validation failed
ike V=root:8:MSRGW-PROD:19370: certificate validation failed
ike V=root:8:MSRGW-PROD:19370: auth verify done
ike V=root:8:MSRGW-PROD:19370: responder AUTH continuation
ike V=root:8:MSRGW-PROD:19370: authentication failed
ike V=root:8:MSRGW-PROD: connection expiring due to phase1 down
ike V=root:8:MSRGW-PROD: going to be deleted

The user is unable to connect to 'Tunnel1' dial-up IPsec VPN because the request matches the 'Tunnel2' IPsec tunnel. This issue is not observed when using a different proposal other than aes256gcm-prfsha.

The issue has been reported to the Engineering team in internal Engineering ticket 1229448 and a fix will be implemented in upcoming FortiOS versions.

Related documents:
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd