snat / dnat over VPN

Hi, We use a Fortigate 60E, using FortiOS 6.0 We use a private IP address range in our office of 192.168.2.0/24. We have a VPN to another network, and they already have that range in use, so have asked us to use 192.168.10.0/24 range. The machines I connect to on their network are using public internet IP addresses, but are firewalled to only allow web traffic to it, and I need ssh access. They can grant ssh access over the VPN only.  So, for example, their gateway IP is 194.125.1.69 and the machine I need to connect to is 194.125.2.240. I have setup a static route that forces all traffic for the machine range over the VPN tunnel. Now, I guess I need to configure the IPv4 Policies to connect out and back. 

My guess -  Incoming Interface LAN Outgoing Interface IPSec Source will be my LAN1 (subnet) Destination - my confusion. Do I make a Virtual IP mapped range here? I assume then I would turn NAT off? Or, would I set the destination as the foreign network subnet, and use NAT with a Dynamic IP Pool, with the IP addresses configured as a one-to-one pool? I am confused.  I also then need to make the reverse work. So, their machine will attempt to talk to 192.168.10.0/24 over the VPN tunnel, and I need our Fortigate to translate the incoming request to 192.168.2.0/24. It should be simple enough, right? Just requires the right logic. Thanks.