Getting SNAT to work on traffic from the firewall inside interface, then down a VPN tunnel

Hi

We have a situation where we have a point to point VPN between two Fortigates, and we need to be able to connect a fortianalyser behind one of the fortigates to the remote fortigate.  Because of some internal routing issues, the internal interface of the remote fortigate is not routable from the fortianaylser, or the local fortigate.  What we have done is set the remote fortigate up to NAT traffic to/from its internal network, over the VPN link.  This works great for devices behind the remote fortigate, but not for traffic originating from the remote fortigate. 

E.g.   local fortianalyser is 10.1.1.1, local fortigate is 10.2.1.1, then the internet/VPN tunnel, then the remote fortigate is 20.1.1.1 on the internal interface, and devices are 20.1.1.x behind it.   Traffic on the 10 networks, thinks that the remote subnet is 10.99.1.x, and is reached via the VPN tunnel.  We have created multiple IP pools on the remote fortinet such that 10.99.1.5 maps to 20.1.1.5, and 10.99.1.6 maps to 20.1.1.6 etc. (we only have a few remote devices).  We have also created a pool for the inside interface of the remote fortigate so that 10.99.1.1 maps to 20.1.1.1.

If you ping 10.99.1.1 from the fortianalyser, the remote firewall responds ok - great!! And the same for the other devices on the remote subnet.  In fact the devices on the remote subnet work fine, its just getting traffic originating from the remote fortigate itself we are having issues with.

A debug trace of pings from the fortianalyser show the incoming ping being DNAT'ed on the way in, and the response being SNAT'ed on the way out to the VPN tunnel- perfect.

A debug trace of the fortigate trying to connect to the fortianalyser on port 514 shows that the packed is not being SNAT'ed before being poked in the VPN tunnel.

Any ideas.  Oh by the way both ends are running 5.2.4.

Thanks