Best practices for creating ipsec-tunnels on Mikrotik hardware?

Hello,

We have a central office (Server side) and several branches (Client side), connected via ipsec in tunnel mode.
what are the best practices for creating ipsec tunnels? (we need fast tunnel establishment and fast reconnection).
three variants are possible:
1)
Server side: Manually created policies, “Generate policy=no”, “Passive=no”
Client side: Dynamic policies, “Generate policy=port-strict”, “Passive=yes”

Server side: Dynamic policies, “Generate policy=port-strict”, “Passive=yes”
Client side: Manually created policies, “Generate policy=no”, “Passive=no”

Server side: Manually created policies, “Generate policy=no”, “Passive=no”
Client side: Manually created policies, “Generate policy=no”, “Passive=no”