To resolve the issue of the IPsec Phase 2 tunnel being down between Unifi Gateway and FortiGate behind the NAT Router, follow these steps:

1. Verify that the Phase 1 authentication (PSK) is successful and the Phase 1 tunnel is up.
2. Verify the IKE debug flow to ensure that IKE negotiation is matching the correct IPsec tunnel.
3. Make sure that the Remote Authentication on Unifi VPN configuration has 'Auto' disabled and is set to use the Private IP address of the FortiGate, since it is behind a NAT device.
   
                                                                                  
4. Verify that the Phase 2 tunnel is up and the LAN-to-LAN connection is working.

Troubleshooting Steps:

• Run IKE debug to check the negotiation process for Phase 1 and Phase 2.

diagnose vpn ike log filter rem-addr4 <Remote_Peer_IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

• Check the Phase_1 and Phase_2 output.

Phase_1:

diagnose vpn ike gateway list name <Phase1_Name>
diagnose vpn tunnel list name <Phase1_Name>

Phase_2:

diagnose vpn ike gateway list name <Phase2_Name>
diagnose vpn tunnel list name <Phase2_Name>

If issues persist, submit a technical case to Fortinet TAC Support. See this article: Technical Tip: How to create a ticket for Fortinet TAC.
Include IKE debug logs gathered by following this article: Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity.