Chapter 11 IPsec VPN for FortiOS 5.0 : Phase 2 parameters : Advanced phase 2 settings : Auto-negotiate
  
Auto-negotiate
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established. Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.
Automatically establishing the SA can also be important for a dialup peer. This ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dialup peer. Otherwise, the VPN tunnel does not exist until the dialup peer initiates traffic.
When enabled, auto-negotiate initiates the phase 2 SA negotiation automatically, repeating every five seconds until the SA is established.
The auto-negotiate feature is available only through the Command Line Interface (CLI). Use the following commands to enable it.
config vpn ipsec phase2
edit <phase2_name>
set auto-negotiate enable
end
If the tunnel goes down, the auto-negotiate feature will attempt to re-establish it. However, the Autokey Keep Alive feature is a better method to ensure your VPN remains up.