This article describes that the tunnel fails to come up with a 'Peer SA proposal not match local policy' message in logs.

The VPN configuration is identical on both local and remote ends, but the VPN still fails to come up, and negotiation errors are seen in the logs.

This is often because of a missing FW policy Inbound/Outbound for the tunnel.

Creating the respective policy should make the negotiation successful.

It is possible to gather additional information about the negotiations using the following debugs:

diagnose vpn ike log-filter dst-addr4 (X.X.X.X) <----- IP address of the remote peer.

diagnose debug application ike -1

diagnose debug enable  

Note:

Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

To disable the debug, press Ctrl + C and enter 'diagnose debug disable'.

Sometimes the VPN tunnel flaps only for a small duration, like 1-2 minutes. In such scenarios, if the reason for the tunnel flap is not known from the VPN event logs, a script needs to run depending on how frequently the tunnel flaps.

Refer to the article below for the VPN script:

Troubleshooting Tip: IPsec VPN general script using Tera Term

Note:
From v7.4.2, if transport is set to 'TCP encapsulation' and FortiClient is not set up to use TCP (such as in an old FortiClient version not supporting TCP encapsulation), the same error will occur. Switch back to 'Auto' and try to connect again.

This can happen when remote-gateway is wrongly configured.

Log captures in IKE debug : 

ike V=root:0:vpn1:14: initiator received zero responder IKE SPI
ike V=root:0: comes 20.20.20.2:500->20.20.20.1:500,ifindex=6,vrf=0,len=472....
ike V=root:0: IKEv2 exchange=SA_INIT id=914420d2570927b5/0000000000000000 len=472
ike 0: in 914420D2570927B50000000000000000

2120220800000000000001D8220000F00200003401

0100050300000C0100000C800E0080030000080200

0005030000080300000C0300000804000015000000

080400001402000034020100050300000C0100000C

800E01000300000802000005030000080300000C03

0000080400001500000008040000140200002C0301

00040300000C01000014800E008003000008020000

05030000080400001500000008040000140200002C

040100040300000C01000014800E01000300000802

000006030000080400001500000008040000140000

002C050100040300000C0100001C800E0100030000

080200000503000008040000150000000804000014

280000680014000042DC69C96F06BD0AF8134AB70B

36AE33AB305FB68ADA80820B7E715FB935973EB3C0

4B5697C184F4E9F22061810FC8BCD5868DE93EE722

BE06549033320EA42843D202800A8AD27376E87797

763A6D7B642B6557BFC5E99C437D354E36214A9A29

0000246C6C2D100F8D88282913A0723377267C2853

E9CD5A83A92587AAC20BEEC0B2CA2900001C000040

0493E648F97C678861B0FA9D61C0936D650375307F

2900001C0000400538C97266EB9F41C80A0B80F96A

C4A69BF59A50F4000000080000402E
ike V=root:0:914420d2570927b5/0000000000000000:15: responder received SA_INIT msg
ike V=root:0:914420d2570927b5/0000000000000000:15: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:914420d2570927b5/0000000000000000:15: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:914420d2570927b5/0000000000000000:15: received notify type FRAGMENTATION_SUPPORTED
ike V=root:0:914420d2570927b5/0000000000000000:15: incoming proposal:
ike V=root:0:914420d2570927b5/0000000000000000:15: proposal id = 1:
ike V=root:0:914420d2570927b5/0000000000000000:15: protocol = IKEv2:
ike V=root:0:914420d2570927b5/0000000000000000:15: encapsulation = IKEv2/none
ike V=root:0:914420d2570927b5/0000000000000000:15: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:914420d2570927b5/0000000000000000:15: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:914420d2570927b5/0000000000000000:15: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:914420d2570927b5/0000000000000000:15: type=DH_GROUP, val=ECP384.
ike V=root:0:914420d2570927b5/0000000000000000:15: type=DH_GROUP, val=ECP521.
ike V=root:0:914420d2570927b5/0000000000000000:15: no proposal chosen
ike V=root:914420d2570927b5/0000000000000000 Negotiate SA Error: peer SA proposal not match local policy
ike V=root:0:914420d2570927b5/0000000000000000:15: no proposal chosen, send error response
ike 0:914420d2570927b5/0000000000000000:15: out 914420D2570927B50000000000000000292022200000000000000024000000080000000E
ike V=root:0:914420d2570927b5/0000000000000000:15: sent IKE msg (NO_PROPOSAL_CHOSEN): 20.20.20.1:500->20.20.20.2:500, len=36, vrf=0, id=914420d2570927b5/0000000000000000, oif=6
FGVM010000137183 # ike :shrank heap by 126976 bytes
ike 0:vpn1:14: out 0F8EDC21C5D4C997000000000000000021202208000000000

00001D0220000E80200002C010100040300000C0100000C800E00800300000802000

005030000080300000C00000008040000140200002C020100040300000C0100000C8

00E01000300000802000005030000080300000C00000008040000140200002403010

0030300000C01000014800E008003000008020000050000000804000014020000240

40100030300000C01000014800E01000300000802000006000000080400001402000

02005010003030000080100001C03000008020000050000000804000014000000240

60100030300000C0100001C800E01000300000802000005000000080400001428000

0680014000048112D3197E1FE926E8971751E80B73C2D831F9B47555BA00E7653A76

C92441B8AE2337D5CAEC0E88B32A96E93D165381ED5030964E946B59DD9F70B0442C

79F0E3D3CA20F3131947A93F3E44E7A614D03F2A167721E95AAA73DC5BE7C5966BA2

9000024E0CBA918A9013F4222B56A7C8B37BF5B213A7702F13128ADED49BBCD7DB6C

7E32900001C0000400441383C8019A7E28A8CCD68AEA6EFB7EA26ECF9D12900001C0

000400541383C8019A7E28A8CCD68AEA6EFB7EA26ECF9D1000000080000402E