AD authenticatition problem over a VPN connection [SOLVED]

Hello,

We have two sites with one AD Domain Controller on each side. The two sites are connected to each other with a VPN connection. Everything works fine, but I would like to set the other site's DC in our FortiGate FG-60F (FortiOS 7.0) firewall as a secondary (safety) authentication option.

The problem is that the firewall can not access the other site's AD-DC, because it uses its outside IP address as source address which is not part of the IPSec settings. I checked the communication in CLI using the 'diagnose sniffer packets any' command.

I would like to make SNAT to change the source address to the firewall's inside IP address.

As I saw its solution would be the usage of the IP Pools. I have created an IP Pool with FortiGate's inside IP address and I used this pool in a firewall policy.

The main settings of the policy:

Incoming Interface: Internet (wan1)

Outgoing Interface: OtherSiteVPN

Source: Fortigate's outside IP address

Destination: Other site's AD-DC

NAT: on

IP Pool Configuration: Use Dynamic IP Pool (with the matching pool in the list)

Even after these settings, the firewall uses its outside IP address and can not access the other site's AD-DC.

What did I do wrong?

Thank you in advance for your help!

Best regards,

Gábor