Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ade_23
Staff
Staff

Created on ‎04-02-2025 07:08 AM Edited on ‎12-02-2025 07:26 AM By Community Manager

Article Id 385932

Troubleshooting Tip: No Proposal Chosen. 'Negotiate SA Error'

Description This article describes possible issues that result in No Proposal Chosen. 'Negotiate SA Error'.
Scope FortiGate.
Solution

When troubleshooting IPsec VPN issues on the FortiGate, it is possible to receive No Proposal Chosen 'Negotiate SA Error'. This is likely due to a gateway address mismatch. 

 

The sample configuration below shows some details of an IPsec tunnel configured between two FortiGates: A and B

 

Scenario 1: Site to site VPN between FortiGate A and FortiGate B

 

FortiGate A:

 

config vpn ipsec phase1-interface
   edit "testvpn"
     set interface "port1"
     set ike-version 2
     set peertype any
     set net-device disable
     set proposal aes128-sha256 aes256-sha256
     set remote-gw 10.9.10.43
     set psksecret ENC xxxxxxxx
     next
   end

 

get sys int
   == [ port1 ]
   name: port1 mode: static ip: 10.9.11.1 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ port3 ]
   name: port3 mode: dhcp ip: 10.9.32.4 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ testvpn ]
   name: testvpn ip: 0.0.0.0 0.0.0.0 status: down netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable mtu-override: disable

 

FortiGate B

 

config vpn ipsec phase1-interface
   edit "test_dup2"
     set interface "port3"
     set ike-version 2
     set peertype any
     set net-device disable
     set proposal aes128-sha256 aes256-sha256
     set remote-gw 10.9.32.4
     set psksecret ENC xxxxxxxx

   next
end

 

get sys int
   == [ port1 ]
   name: port1 mode: static ip: 10.9.10.43 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ port3 ]
   name: port3 mode: dhcp ip: 10.9.32.11 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ test_dup2 ]
   name: test_dup2 ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable mtu-override: disable

 

The 'remote-gateway' values on both sides do not match the interface addresses used for the VPN. FortiGate A is configured to match interface port1 on FortiGate B, while B is doing the reverse.

 

Debug Outputs.

 

FortiGate B:

 

ike V=root:0:test_dup2:test_dup2: IPsec SA connect 5 10.9.32.11->10.9.32.4:0
ike V=root:0:test_dup2:test_dup2: using existing connection
ike V=root:0:test_dup2:test_dup2: config found
ike V=root:0:test_dup2: request is on the queue
ike 0:test_dup2:56: out [hash omitted]
ike V=root:0:test_dup2:56: sent IKE msg (P1_RETRANSMIT): 10.9.32.11:500->10.9.32.4:500, len=722, vrf=0, id=ca2c786a2244f30e/0000000000000000
ike :shrank heap by 135168 bytes
ike V=root:0:test_dup2:test_dup2: IPsec SA connect 5 10.9.32.11->10.9.32.4:0
ike V=root:0:test_dup2:test_dup2: using existing connection
ike V=root:0:test_dup2:test_dup2: config found
ike V=root:0:test_dup2: request is on the queue

 

FortiGate A:

 

2025-04-02 06:19:36.879931 ike V=root:0: comes 10.9.32.11:500->10.9.32.4:500,ifindex=5,vrf=0,len=500....
2025-04-02 06:19:36.880623 ike V=root:0: IKEv2 exchange=SA_INIT id=9089714b849fe991/0000000000000000 len=500
2025-04-02 06:19:36.881253 ike 0: in [hash omitted]
2025-04-02 06:19:36.886291 ike V=root:0:9089714b849fe991/0000000000000000:260: responder received SA_INIT msg
2025-04-02 06:19:36.886896 ike V=root:0:9089714b849fe991/0000000000000000:260: received notify type NAT_DETECTION_SOURCE_IP
2025-04-02 06:19:36.887552 ike V=root:0:9089714b849fe991/0000000000000000:260: received notify type NAT_DETECTION_DESTINATION_IP
2025-04-02 06:19:36.888229 ike V=root:0:9089714b849fe991/0000000000000000:260: received notify type FRAGMENTATION_SUPPORTED
2025-04-02 06:19:36.888905 ike V=root:0:9089714b849fe991/0000000000000000:260: incoming proposal:
2025-04-02 06:19:36.889449 ike V=root:0:9089714b849fe991/0000000000000000:260: proposal id = 1:
2025-04-02 06:19:36.889971 ike V=root:0:9089714b849fe991/0000000000000000:260: protocol = IKEv2:
2025-04-02 06:19:36.890522 ike V=root:0:9089714b849fe991/0000000000000000:260: encapsulation = IKEv2/none
2025-04-02 06:19:36.891125 ike V=root:0:9089714b849fe991/0000000000000000:260: type=ENCR, val=AES_CBC (key_len = 128)
2025-04-02 06:19:36.891799 ike V=root:0:9089714b849fe991/0000000000000000:260: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2025-04-02 06:19:36.892483 ike V=root:0:9089714b849fe991/0000000000000000:260: type=PRF, val=PRF_HMAC_SHA2_256
2025-04-02 06:19:36.893120 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP2048.
2025-04-02 06:19:36.893754 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP1536.
2025-04-02 06:19:36.894382 ike V=root:0:9089714b849fe991/0000000000000000:260: proposal id = 2:
2025-04-02 06:19:36.894905 ike V=root:0:9089714b849fe991/0000000000000000:260: protocol = IKEv2:
2025-04-02 06:19:36.895449 ike V=root:0:9089714b849fe991/0000000000000000:260: encapsulation = IKEv2/none
2025-04-02 06:19:36.896045 ike V=root:0:9089714b849fe991/0000000000000000:260: type=ENCR, val=AES_CBC (key_len = 256)
2025-04-02 06:19:36.896726 ike V=root:0:9089714b849fe991/0000000000000000:260: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2025-04-02 06:19:36.897394 ike V=root:0:9089714b849fe991/0000000000000000:260: type=PRF, val=PRF_HMAC_SHA2_256
2025-04-02 06:19:36.898035 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP2048.
2025-04-02 06:19:36.898705 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP1536.
2025-04-02 06:19:36.899472 ike V=root:0:9089714b849fe991/0000000000000000:260: no proposal chosen
2025-04-02 06:19:36.900083 ike V=root:Negotiate SA Error: [11895]

 

FortiGate A is the receiver in this case, does not accept the proposals but responds with the error: 'no proposal chosen...Negotiate SA Error: [11895]'.

 

After correcting this by selecting the right remote gateway on one of the FortiGates, the tunnel comes up as expected, provided all other configs are done correctly.


Also, in other case, this error occurs due to a mismatch in the network ID in the phase 1 configuration of the IPsec tunnel in ADVPN. 


To rectify this, make sure that the network-id in phase-1 on IPsec tunnel matches on both the hub and the spoke firewall. 

config vpn ipsec phase1-interface

edit "tunnel-name"

set network-overlay enable
set network-id 1      <----- Should match on hub and spoke.

end 

 

Scenario 2: Dial-up VPN

 

FortiGate:

  • Dial-up server listening on port1 
  • Primary IP: 172.16.30.15
  • Secondary IP: 10.150.11.15

 

FortiClient remote gateway configuration: 10.150.11.15 or an FQDN resolving to 10.150.11.15

 

Despite having all the IKE parameters match on both FortiGate and FortiClient, the connection still fails with the error, 'No Proposal Chosen.  Negotiate SA Error.'

 

Refer to the below IKE debug output showing that both the incoming proposal and the matched gateway IKE parameters are matching yet VPN is still not connecting due to error 'no proposal chosen'.

 

ike 0: comes 192.168.10.50:500->10.150.11.15:500,ifindex=106,vrf=0....
ike 0: IKEv2 exchange=SA_INIT id=b7b2b6f09071d464/0000000000000000 len=497
ike 0: in [hash omitted]
ike 0:b7b2b6f09071d464/0000000000000000:42435: responder received SA_INIT msg
ike 0:b7b2b6f09071d464/0000000000000000:42435: VID forticlient connect license ....
ike 0:b7b2b6f09071d464/0000000000000000:42435: VID Fortinet Endpoint Control ....
ike 0:b7b2b6f09071d464/0000000000000000:42435: VID Forticlient EAP Extension ....
ike 0:b7b2b6f09071d464/0000000000000000:42435: received notify type NAT_DETECTION_SOURCE_IP
ike 0:b7b2b6f09071d464/0000000000000000:42435: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:b7b2b6f09071d464/0000000000000000:42435: received notify type VPN_NETWORK_ID
ike 0:b7b2b6f09071d464/0000000000000000:42435: NETWORK ID : 0
ike 0:b7b2b6f09071d464/0000000000000000:42435: incoming proposal:
ike 0:b7b2b6f09071d464/0000000000000000:42435: proposal id = 1:
ike 0:b7b2b6f09071d464/0000000000000000:42435: protocol = IKEv2:
ike 0:b7b2b6f09071d464/0000000000000000:42435: encapsulation = IKEv2/none
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP1536.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP2048.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=ECP384.
ike 0:b7b2b6f09071d464/0000000000000000:42435: proposal id = 2:
ike 0:b7b2b6f09071d464/0000000000000000:42435: protocol = IKEv2:
ike 0:b7b2b6f09071d464/0000000000000000:42435: encapsulation = IKEv2/none
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP1536.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP2048.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=ECP384.
ike 0:b7b2b6f09071d464/0000000000000000:42435: my proposal, gw IPSecRA-P1:
ike 0:b7b2b6f09071d464/0000000000000000:42435: proposal id = 1:
ike 0:b7b2b6f09071d464/0000000000000000:42435: protocol = IKEv2:
ike 0:b7b2b6f09071d464/0000000000000000:42435: encapsulation = IKEv2/none
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP1536.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP2048.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=ECP384.
ike 0:b7b2b6f09071d464/0000000000000000:42435: lifetime=86400
ike 0:b7b2b6f09071d464/0000000000000000:42435: proposal id = 2:
ike 0:b7b2b6f09071d464/0000000000000000:42435: protocol = IKEv2:
ike 0:b7b2b6f09071d464/0000000000000000:42435: encapsulation = IKEv2/none
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP1536.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=MODP2048.
ike 0:b7b2b6f09071d464/0000000000000000:42435: type=DH_GROUP, val=ECP384.
ike 0:b7b2b6f09071d464/0000000000000000:42435: lifetime=86400
ike 0:b7b2b6f09071d464/0000000000000000:42435: no proposal chosen
ike Negotiate SA Error:... ike [11089]

 

To resolve this issue, configure 'local-gateway' under the IPsec phase 1 configuration to listen on the secondary IP 10.150.11.15.

 

config vpn ipsec phase1-interface

    edit "VPN"

      set local-gw 10.150.11.1

    next

end

 

Related article

Technical Tip: Local Gateway - IPsec VPN 
2186
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.