The Fortinet can successfully initiate to the Check Point because when the Check Point is the responder it is not picky about getting an exact match for the IKE Phase 2 subnets/Proxy-IDs proposed by the Fortinet, as long as the proposed subnets fall completely within the defined VPN domains for both peers the Check Point will accept it.
However when the Check Point is the initiator, as the responder the Fortinet is VERY PICKY and its subnets configuration must exactly match what is being proposed by the Check Point or it will fail. Everything including subnet mask length must match exactly. See my response in this thread for how to force the Check Point to propose exactly what the Fortinet wants so it will match exactly:
Alternatively, if you are using R80.40+ on both management and gateway, there is a new capability to create user-defined VPN domains for both participating gateways on a per-community basis that will give you the granularity needed to match what the Fortinet is expecting in the Phase 2 proposal from the Check Point. You will also experience this same "picky" behavior with Juniper and Sonicwall among others.
New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com