When the device receives an IKE_SA_INIT from any valid peer, it initiates a tunnel on its own to that peer. This leads to CHILD_SA duplication.
The FortiGate device sometimes sends an invalid checksum, causing strongSwan to switch to NAT-T encapsulated ESP while the FortiGate device remains unchanged, resulting in strongSwan not processing inbound traffic. The workaround is to force ESPinUDP encapsulation, i.e. to set
connections.<conn>.encap = yesin