Can you suggest some config for the same?
I've already done, it consists merely in changing that IPsec policy's
dst-address from the current 172.16.88.0/24 to 0.0.0.0/0 at 'Tik side and symmetrically changing the
src-address at Fortigate side. At Mikrotik side, the IPsec transport traffic is auto-protected against being sent into the tunnel it transports as IPsec transport packets are ignored by IPsec policies so they are not captured and encrypted again ad nauseam, but DNS and everything will get redirected as soon as the tunnel gets up. However, I'm not sure whether the auto-protection also handles control packets; if it doesn't, you would have to create a manual protection policy, saying
action=none src-address=tik's.wan.ip.address dst-address=fortigate's.public.ip.address, and place it on top of the existing one.