i must configure policy based site to site VPN on my device. do you have any advice how to configure it, due to synchronization with another company's device?

@gogi99 the guide I provided above is an example of configuring a policy based VPN on FDM, follow the steps in the FDM section of the guide.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215513-configure-site-to-site-vpn-on-ftd-manage.html

You need to define your local network(s) and the peers remote network(s), this is referred to as protected networks, define the peers IKE/IPSec policy/proposals, configure pre-shared key or certificate. And create a NAT exemption rule.

i created my local network, i have ip of remote peer, remote networks, i defined IKE/IPSec policy/proposal, pre-shared key. from other company i receive instructions 

OpenShift (=11.115.55.0/24) enters the encryption domain from our side. We would kindly ask you to present your LAN side through the IP range that the Office will allocate to you (=11.4.23.0/24), so that it is routable within our data center.

and

The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic. From the side of your company, a symmetrical definition is needed.

i must create NAT, how i do this from FDM?

@gogi99 11.4.23.0/24 should be defined as the local network that defines your protected networks in the VPN configuration.

You would need to create manual NAT rule with the original source of your real/actual local networks, the original destination of the remote network (11.115.55.0/25) with a translated source of 11.4.23.0/24 and the translated destination still as (11.115.55.0/25).

i created Nat per your instructions, with name eUprava_NAT, but nothing. i tested configuration with command 

show running-config crypto map
crypto map s2sCryptoMap 1 match address |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff
crypto map s2sCryptoMap 1 set pfs group24
crypto map s2sCryptoMap 1 set peer remote_ip
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES-256
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000
crypto map s2sCryptoMap interface outside

in line crypto map s2sCryptoMap 1 match address |s2sAcl|091dd7e7-5575-11ef-85f5-2fcd82cd34ff i see something else from created rule that i made Permit_eUprava

@gogi99 you have to generate traffic in order to establish the VPN.

There is no way to determine whether your NAT configuration is correct with the output you provided. Run "show nat detail" to provide the output.

Are the IKEv2/IPSec settings the same as the peer?

Did you define the protected networks correctly? Provide a screenshot of the configuration.

Run some debugs

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

Refer to the guide previously provided, which has some troubleshooting steps

i used  show nat detail 

(any) to (any) source static server_network eUprava destination static OpenShift_Network OpenShift_Network
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.99.0/24, Translated: 11.4.23.0/24
Destination - Origin: 11.115.55.0/24, Translated: 11.115.55.0/24

Are the IKEv2/IPSec settings the same as the peer?

the settings are same.

the screenshot of configuration

Connection Name: eUprava_site-to-site_VPN

VPN Access Interface IP: outside (ip_of my outside interface)
Network: server_network(192.168.99.0/24)

Peer IP Address: ip_remote_peer
Peer Network: OpenShift_Network(11.115.55.0/24), eUprava(11.4.23.0/24)

IKE Version 2
IKE Policy: aes-256-sha256-sha256-24
IPSec Proposal: aes-256-sha-256
Authentication Type: Pre-shared Manual Key

IKE Version 1: Disabled

OTHER
NAT Exempt: —

Diffie-Hellman Group: GROUP24

i used next commands

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

but i dont receive nothing

@gogi99 as you have to NAT, 11.4.23.0/24 needs to be configured as your local protected network in the VPN, not the real network 192.168.99.0/24.

Why have you got 11.4.23.0/24 as a remote network? That's is the NAT range the peer whats on your local side of the VPN.

You will only get debug output when you generate traffic to establish the VPN.

the network 11.4.23.0/24 is in other company.

i received from other company

The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic. A symmetrical definition is required from your company's side.

@gogi99 you said "We would kindly ask you to present your LAN side through the IP range that the Office will allocate to you (=11.4.23.0/24), so that it is routable within our data center." and "The tunnel is configured as policy based and in that context IP communication between the ranges 11.115.55.0/24 and 11.4.23.0/24 is defined as interesting traffic". << therefore not your local LAN network 192.168.99.0/24

So therefore I determined they want you to NAT your LAN traffic to that range. The last few messages in regard to the NAT configuration that has been provided to you have been based on that assumption. If you feel that is incorrect, you may wish to contact the 3rd party and clarify exactly what they want you to do.

I understood this message to NAT my local network 192.168.99.0/24 in 11.4.23.0/24, but i cannot define interesting  traffic.

in ACL of VPN use mapped ip not real IP 
in NAT dont use interface ANY ANY use interface IN OUT or other nameif you use 

MHM 

@gogi99 please re-read the guide already provided.

Create objects for the protected networks (this is the interesting traffic).

You then reference these objects in the VPN configuration, as the local and remote networks.