"happening ONLY if Im dialing the VPN from the HQ where the Fortigate with VPN is sitting" Why would you VPN into the same place as where the FortiGate is? What is the use-case for that?
Hub-spoke is the most accurate I guess, A = hub, B=spoke, places are connected through IPsec tunnels if user from B comes at place A and need to access their data from place B, they need to be on VPN because of firewall rules allowing them to access their data. every spoke has their own VPN subnet & SSL portal and also fw rules.
