Came across an issue on FortiOS 5.4 where a connection to remote peer via an IPSEC Tunnel suddenly stopped working. (My user told me it was working in the past atleast)
Setup is the internal IP needs to be NAT’d to an IP that is known to the VPN peer. So for example,
10.5.0.5 (internal) –> 10.10.10.10 (NAT’d) <—IPSEC TUNNEL–> 10.10.20.20 –> some real inside IP by the other peer
Troubleshooting with Flowtrace, I noticed that the traffic is not being NAT’d at all. As a result, it wont match any VPN Phase 2 Selector
Following a guide from Fortinet KB
Needed to enable natoutbound on the policy and disable use-natip on Phase 2
Note that you cannot add NAT Policy on the GUI, it has to be done on CLI
FORTIGATE # show firewall policy 218
config firewall policy
edit 218
set srcintf “port11”
set dstintf “port16”
set srcaddr “10.5.0.5”
set dstaddr “10.10.20.20”
set action ipsec
set schedule “always”
set service “https_test”
set logtraffic all
set natip 10.10.10.10 255.255.255.255
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel “RemoteBranch.Site-To-Site”
next
and on Phase 2 settings
FORTIGATE # show vpn ipsec phase2 RemoteBranch.Site-To-Site
config vpn ipsec phase2
edit “RemoteBranch.Site-To-Site”
set phase1name “RemoteBranch.Site-To-Site”
set use-natip disable
set proposal aes256-sha1
set pfs disable
set replay disable
set keepalive enable
set keylife-type both
set src-addr-type ip
set dst-addr-type ip
set keylifeseconds 3600
set keylifekbs xxx
set src-start-ip 10.10.10.10
set dst-start-ip 10.10.20.20
next
end
marktugbo.com 
This is very helpful & something that isn’t documented very well elsewhere. Do you know of a way to reference an IP pool as the source NAT rather than a single IP or subnet?
LikeLike