On the FGT side, most best practices mentioned also apply:
- create address objects for the networks to be proteced, and those on the CP
to be used here:
- in the phase2
- in static route
- in the policy
This way, you only have to edit one central object to change the network definition, or add more networks.
Be careful when you need to tunnel multiple networks. Some firewalls allow the use of an address group in phase2, like the FGT. Some will only allow one phase2 definition for each network, like a Cisco ASA. Check that with CP.
Also, check if you can use IKEv2, or IKEv1 only. You need to know in advance.
All other IKE and IPsec parameters are pretty common, just make sure they match. On the FGT side, I would not offer a zillion proposals, just the one I know will be supported and be safe enough for my purposes.
The only parameter which might be difficult to implement is DPD. There are vendors who do not support this, or in a different fashion.
All 3 configs mentioned above are needed before an IPsec tunnel will come up in FortiOS. Specifically, no policy - no tunnel.
And, lastly, the one Best Practice for VPNs above all: install blackhole routes for all private networks! I've been posting this several times on this forum with explanations, you might find it useful.
"Kernel panic: Aiee, killing interrupt handler!"