Allowing branch to connect to branch via Site to site Ipsec

My first thought was to use supernetting - tunneling a 192.168.10.0/21 would cover 192.168.8 to 192.168.15. Won't work here, sigh. Your choice of network ranges is just a bit unfortunate.

There are 2 ways to achieve connectivity:

- create 2 tunnels, from A to HQ and from B to HQ. Set up routing so that you get from A to B. Allow destination subnet HQ from A, and subnet B from A; similar on B. For each subnet create a separate phase2. All in interface mode, of course

- use the FortiOS wildcard '0.0.0.0/0' along with explicit routes to tunnel all possible subnets across.

Instead of static routes, which I recommend, you could set up a dynamic routing protocol. Depends on you future plans - going from 2 to 3 spokes would certainly justify a protocol.