Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

IPsec dial-in VPN on loopback

Putting an IPsec tunnel onto a loopback interface has led continuously to an error of unknown SPI, like:


2024-03-05 21:32:19.150302 ike V=root:0:IPsec_demo_0:IPsec_demo:2975: send SA_DONE SPI 0x94f4245
2024-03-05 21:32:19.221924 ike V=root:0: unknown SPI 2f50eb14 54>

Trying to solve this issue by defining the local gateway address with help of


set local-gw


leads to another error:

2024-03-05 21:30:24.705268 ike V=root:0:26af7e33589f4514/0000000000000000:153: no SA proposal chosen


Any pointers appreciated ... Rgds Guenther


Please ensure that the remote-gateway is reachable too. You may find this guide helpful to your query: 

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

Thanks for your answer. Unfortunatelly it's a dial up remote - therefore no remote-gw is defined.

 But the remote site is reachable in any case.


Hi @Guenther 

In the latter one, you can see the reason seems not related to routing reachability. It may be associated with the configuration of IPsec, usually due to a mismatch in the phase 1 encrypt/auth algorithm. You can check the issue following this link


New Contributor II

Hi Bill,

unfortunatelly the negotiation fails only, if the statement

set local-gw

is activated. If I remove this statement, the tunnel is coming up again (but not carrying any traffic due to SPI mismatch as initially described).


To put it in a nutshell:

(a) without local-gw, the tunnel comes up but does not carry any traffic,

(b) with local-gw, the tunnel initialization fails with a "no SA proposal chosen"


Any ideas?


Is the loopback interface configured on the FGT acting as Dialup Server?
Is the below IP configured on any interface?
set local-gw

There was a common issue a while back which can be resolved by following the below KB article:

New Contributor II

Hello @ezhupa ,

the solution of placing it on a 2ndary interface works fine. We would like to use a loopback interface for limiting access by another policy.

SuperUser is in CGNAT IP range. If local ISP is using CGNAT, you can't receive/terminate IPsec VPNs. It can only initiate IPsec VPNs as a dialup client. Check with your ISP.




Hello @Toshi_Esumi ,

 as the FG is serving as dialin server, we do not worry about the CGNAT (which is used internally as well). But you're right: it's ISP address space.

Top Kudoed Authors