What is your profile on the Fortigate? Is DPD enabled? It's possible the Fgate thinks the peer is dead so will no longer accept packets for that SA. Also, check your settings on the SA, lifetime, keepalives, etc...
Warning - Long post. You can specify vlans based on 802.1x MAC Authentication to a radius server (See bold print)... Straight from Cisco docs (of course this would be on a "cisco" switch but in principle it can be done anywhere). Using 802.1X Authentication with VLAN Assignment After succe...
I believe you need to create a bridge on your trunked interface and tie your vlans to that bridge first. This is how I have mine configured: # NAME MTU ARP VLAN-ID INTERFACE 0 R dsl1 1500 disabled 995 bridge1 1 R dsl2 1500 disabled 996 bridge1 2 R wifipppoe 1500 disabled 997 bridge1 3 R akwifi100 15...