If there is more than one subnet (both local and remote) configured over the IPsec VPN, there should be more than one phase2 selector configured instead of including multiple firewall addresses in a single firewall deal with group and defining it as a single phase2 selector.

The purpose is that once there's only one phase2 selector defined on the FortiGate, it will use the identical SPI value to deliver up segment 2 for all the subnets that are configured on its phase2.

This does not regularly work with supplier units because it expects exceptional SPI values for all the configured subnets.

Therefore, it is advised to apply separate phase2 selectors when the IPsec VPN tunnel is configured among FortiGate and third-party vendors as every vendor has its own IPSec implementation.

The answer is to configure multiple phase2 selectors on the FortiGate so that every configured phase2 will use a unique SPI value for every one-of-a-kind subnet.

Route-based IPsec VPN.

config vpn ipsec phase2-interface
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set auto-negotiate enable
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.143.0.0 255.255.254.0
    next
end

Policy-Based IPsec VPN.

config vpn ipsec phase2
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.0.0 255.255.255.0
        set dst-subnet 10.143.0.0 255.255.254.0

It is possible to configure mesh-selector-type.

mesh-selector-type {disable | subnet | host}

Note.

This entry is only available when ike-version is set to 1.

Disable (by default) or set dynamic mesh selectors for IKEv1 VPNs to either subnet or host.

Note that dynamic selectors are not saved to the configuration and will be removed when tunnels are flushed.

Use the subnet to install a selector for the address group that matches traffic packets.

Use the host to install a selector for the source and destination IP addresses of traffic packets.

Note:

The equivalent of the IKEv1 ‘set mesh-selector-type subnet’ setting in IKEv2 is the ‘set initiator-ts-narrow enable’ configured on the phase2-interface.

Related articles: 

Technical Tip: IKE v2 traffic selector narrowing 

Technical Tip: Explanation of the IKEv2 Phase2 Setting 'initiator-ts-narrow'