Just a guess, can you check if the Fortigate is always in "responder" role? Run diagnose vpn ike gateway list name <Name> , and look for role specified under "direction: "

If thats the case, may be there can be a configuration on the watchguard side to allow incoming VPN connections (may be enabling the service under interface or something like that) .

Some vendors don't allow the IKE/VPN service by default on their interfaces, which means we cannot initiate a tunnel towards them, but they can initiate a tunnel and when we reply they will process that even if the service is not enabled on the interface.

For example, we use "set allowaccess ping https ssh http telnet" under Fortigate interface configuration to allow these services,lets say we don't have ping enabled under this interface, it means no one can ping us, but we can ping and it will work. I am talking about a similar option for ike/vpn on the watchguard side.

I think if you just clear the tunnel from Fortigate side, it will try to initiate a new tunnel , can you check if the "direction" becomes Initiator in Fortigate side?
If we see the fortigate side as initiator then my theory is wrong and it could be some other issue.

i knocked the whole tunnel down from the fortinet side.

resurfaced making a traffic request.

and now it says:

direction: initiator

what does this mean??

Thanks for testing, this confirms it is mostly not a service allow issue, but you mentioned that you had to start traffic to initiate the tunnel again.

Can you check if "auto-negotiate" is enabled under phase2 interface?

# config vpn ipsec phase2-interface
    edit <phase2_name>
        set auto-negotiate enable
    next
end

Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...

no it was disabled now i enabled it.

Right ??

Great, I believe this will fix the issue. Please monitor.