Source IP of ICMP "need to fragment but don't fragment bit set" is external Interface's IP

Hi,

I've an IPsec tunnel between two fortigates (FG1 and FG2). FG1 does also have a link to an ISP hence uses a official IP on this interface. If a client connected to FG1 connects to a Server behind FG2 (via another firewall doing anti spoofing) the server for some reason replys with packets exceeding MTU size between FG2 and FG1 and don't fragment bit set these get dropped. In fact it seems like FG1 is dropping it as it is replying with ICMP "need to fragment but don't fragment bit set" set. (Question is why is FG1 replying with this message but not FG2?). However the more important question is as source IP of ICMP message is the one of FG1's external interface how do I change it? Due to the third firewall doing anti spoofing the ICMP packet isn't reaching the server. Any ideas? Thanks in advance!