When troubleshooting IPSec VPN issues on the FortiGate, it is possible to receive 'Negotiate SA Error: [11895]'. This is likely due to a gateway address mismatch. 

The sample configuration below shows some details of an IPSec tunnel configured between two FortiGates: A and B. 

FortiGate A:

config vpn ipsec phase1-interface
   edit "testvpn"
     set interface "port1"
     set ike-version 2
     set peertype any
     set net-device disable
     set proposal aes128-sha256 aes256-sha256
     set comments "VPN: testvpn (Created by VPN wizard)"
     set remote-gw 10.9.10.43
     set psksecret ENC uDAhksiMdnllHdJjSg0zP7VKWy808PQmk+kpWQ4898rPtnTUzaEI/ee5g+TMrN2EIpMFBl0R/L12rD+yM5zDNx8udDBXcjZUDP7EyuPcYD8tDvPQ5DH5+wyvkXHbvR6uNiA7rGE/Eci4AL8OY3SZyjGwLXNP+E1+OL4Y+g7/VlXsJrVhwVB4wpgWvrf5/4dWYhDxc1lmMjY3dkVA
     next
   end

get sys int
   == [ port1 ]
   name: port1 mode: static ip: 10.9.11.1 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ port3 ]
   name: port3 mode: dhcp ip: 10.9.32.4 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ testvpn ]
   name: testvpn ip: 0.0.0.0 0.0.0.0 status: down netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable mtu-override: disable

FortiGate B: 

config vpn ipsec phase1-interface
   edit "test_dup2"
     set interface "port3"
     set ike-version 2
     set peertype any
     set net-device disable
     set proposal aes128-sha256 aes256-sha256
     set comments "VPN: test_dup2 (Created by VPN wizard)"
     set remote-gw 10.9.32.4
     set psksecret ENC SgTLn666ej+BskqxrEQh15UNglbbIIaifeXMNx5rnslfif0/ba+LSKyW0oZoLR/LzTekLODvz8q+u0wB7UqhJ+2RRqMNOVmtUYmgMoh7goQFAt3XhMNOYFzcxvVzw7ePcDNfxEYB2/CE/WxQtLa5FI7wHBlHHk8bvmX0EDcddMnjgNiAoIfs8KKj2JcT5a+9TuHacllmMjY3dkVA
   next
end

get sys int
   == [ port1 ]
   name: port1 mode: static ip: 10.9.10.43 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ port3 ]
   name: port3 mode: dhcp ip: 10.9.32.11 255.255.240.0 status: up netbios-forward: disable type: physical ring-rx: 0 ring-tx: 0 netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
   == [ test_dup2 ]
   name: test_dup2 ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable wccp: disable mtu-override: disable

The 'remote-gateway' values on both sides do not match the interface addresses used for the VPN. FortiGate A is configured to match interface port1 on FortiGate B while B is doing the reverse.

Debug Outputs.

FortiGate B:

ike V=root:0:test_dup2:test_dup2: IPsec SA connect 5 10.9.32.11->10.9.32.4:0
ike V=root:0:test_dup2:test_dup2: using existing connection
ike V=root:0:test_dup2:test_dup2: config found
ike V=root:0:test_dup2: request is on the queue
ike 0:test_dup2:56: out CA2C786A2244F30E00000000000000000110040000000000000002D2040000B40000000100000001000000A8010100040300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0000002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0A0001047F3B82208DE0D7D884D011F22A4DF802BB8DC0CE02FF537EC8592FB0B8E319125496174C951B98533C0753E129E27B0D5C1063BFA52D9BBC4CF9BA0ACFDFAB87085264AFC9EFAA729D337D86CCDB459BFF8B4E5F3B9461E939012728BF87F99DD6BFF7BC408C51265F7DD67B1747D40E258D7E88435B5EF77332F0B1010916C2120AED4B459F3B000CA0E0BFAEC8D58C28C86EE9E748B27F4869D7FE01E5A1E3CBA01B1949F1A3F0EFB2823ADA51212F5F2E67C75A0FE1C8B835A358CE49B08DF1782CBB82E51549F35327AAE25FF4551B42C771EC9BDF411EA50745765E80089C0C5CAFBB5839D4CE5212F94BC556BE9A65748FC664F4D8AFFC6A1F0F7D51A7050000243E7FD845D102AB0E9332BF3CF9C05AEF65DCD9A3D7E56515ED024B4DA9AEA2750D00000E020000006261636B75700D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike V=root:0:test_dup2:56: sent IKE msg (P1_RETRANSMIT): 10.9.32.11:500->10.9.32.4:500, len=722, vrf=0, id=ca2c786a2244f30e/0000000000000000
ike :shrank heap by 135168 bytes
ike V=root:0:test_dup2:test_dup2: IPsec SA connect 5 10.9.32.11->10.9.32.4:0
ike V=root:0:test_dup2:test_dup2: using existing connection
ike V=root:0:test_dup2:test_dup2: config found
ike V=root:0:test_dup2: request is on the queue

FortiGate A:

2025-04-02 06:19:36.879931 ike V=root:0: comes 10.9.32.11:500->10.9.32.4:500,ifindex=5,vrf=0,len=500....
2025-04-02 06:19:36.880623 ike V=root:0: IKEv2 exchange=SA_INIT id=9089714b849fe991/0000000000000000 len=500
2025-04-02 06:19:36.881253 ike 0: in 9089714B849FE99100000000000000002120220800000000000001F42200006C02000034010100050300000C0100000C800E00800300000802000005030000080300000C0300000804000005000000080400000E00000034020100050300000C0100000C800E01000300000802000005030000080300000C0300000804000005000000080400000E28000108000E00009A4ED316649DD07D77068923584C09454421767F8CC5E8B7F6E660ED81F1D701EB9C664BD2E6B2C4F5182A0197C050035C9548A0D9F14694542563A2CB138D6E28C3CFEF4234DF58A3C09B97FAC39394D4E082B009B54BB2BFD4B8EBCE7C4EA823448A3F2CB476E7346766FA9DC48D5AB42545FEFFBB88F845FB5316D5638E294A66034BACC20DCA993FFB6B46CC98131A8B32C7EF33BEE9FED1209475F025A3B1ABA93DB43F92B705698238A5129009CDC37E9D2EEC79CE531FC5EEEEEACA3EEC27629AA4FE1DF2584F7DA3B1B0462DBB705461F192BC7FF05FAC10791CCA8319C62BAD368A079A525529D0CA02B1D15070DCC8250E02F63FD3EE439E40EC942900002434280CFA5E8FFAC8CCA6D63E02750EE789B412D6D42DB4772A58A1E3DCDB81D32900001C00004004FA66D1C185A0CEAA40706E52469CA4F67D404ECF2900001C0000400589EF4B1D9B5FE9CB3169CEBBC4885E464E1A70B8000000080000402E
2025-04-02 06:19:36.886291 ike V=root:0:9089714b849fe991/0000000000000000:260: responder received SA_INIT msg
2025-04-02 06:19:36.886896 ike V=root:0:9089714b849fe991/0000000000000000:260: received notify type NAT_DETECTION_SOURCE_IP
2025-04-02 06:19:36.887552 ike V=root:0:9089714b849fe991/0000000000000000:260: received notify type NAT_DETECTION_DESTINATION_IP
2025-04-02 06:19:36.888229 ike V=root:0:9089714b849fe991/0000000000000000:260: received notify type FRAGMENTATION_SUPPORTED
2025-04-02 06:19:36.888905 ike V=root:0:9089714b849fe991/0000000000000000:260: incoming proposal:
2025-04-02 06:19:36.889449 ike V=root:0:9089714b849fe991/0000000000000000:260: proposal id = 1:
2025-04-02 06:19:36.889971 ike V=root:0:9089714b849fe991/0000000000000000:260: protocol = IKEv2:
2025-04-02 06:19:36.890522 ike V=root:0:9089714b849fe991/0000000000000000:260: encapsulation = IKEv2/none
2025-04-02 06:19:36.891125 ike V=root:0:9089714b849fe991/0000000000000000:260: type=ENCR, val=AES_CBC (key_len = 128)
2025-04-02 06:19:36.891799 ike V=root:0:9089714b849fe991/0000000000000000:260: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2025-04-02 06:19:36.892483 ike V=root:0:9089714b849fe991/0000000000000000:260: type=PRF, val=PRF_HMAC_SHA2_256
2025-04-02 06:19:36.893120 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP2048.
2025-04-02 06:19:36.893754 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP1536.
2025-04-02 06:19:36.894382 ike V=root:0:9089714b849fe991/0000000000000000:260: proposal id = 2:
2025-04-02 06:19:36.894905 ike V=root:0:9089714b849fe991/0000000000000000:260: protocol = IKEv2:
2025-04-02 06:19:36.895449 ike V=root:0:9089714b849fe991/0000000000000000:260: encapsulation = IKEv2/none
2025-04-02 06:19:36.896045 ike V=root:0:9089714b849fe991/0000000000000000:260: type=ENCR, val=AES_CBC (key_len = 256)
2025-04-02 06:19:36.896726 ike V=root:0:9089714b849fe991/0000000000000000:260: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2025-04-02 06:19:36.897394 ike V=root:0:9089714b849fe991/0000000000000000:260: type=PRF, val=PRF_HMAC_SHA2_256
2025-04-02 06:19:36.898035 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP2048.
2025-04-02 06:19:36.898705 ike V=root:0:9089714b849fe991/0000000000000000:260: type=DH_GROUP, val=MODP1536.
2025-04-02 06:19:36.899472 ike V=root:0:9089714b849fe991/0000000000000000:260: no proposal chosen
2025-04-02 06:19:36.900083 ike V=root:Negotiate SA Error: [11895]

FortiGate A is the receiver in this case, does not accept the proposals but responds with the error: 'no proposal chosen...Negotiate SA Error: [11895]'.

After correcting this by selecting the right remote gateway on one of the FortiGates, the tunnel comes up as expected, provided all

other configs are done correctly.