The following configuration has been done: configure the Site-to-Site IPSec tunnel

On FortiGate-A:
Here the local subnet is 192.168.30.0/24 and will be NATed to 172.16.20.0/24, so the Phase2 selectors would be local address is 172.16.20.0/24 and the remote address will be 10.1.1.0/24

LDAPS # get vpn ipsec tunnel name DNSCLIENT

gateway
name: 'DNSCLIENT'
local-gateway: 10.9.11.214:0 (static)
remote-gateway: 10.9.15.169:0 (static)
status: up
mode: ike-v1
interface: 'port2' (4) vrf:0
rx packets: 56 bytes: 4608 errors: 0
tx packets: 56 bytes: 4608 errors: 0
dpd: on-demand/negotiated status:ok idle: 20000ms retry: 3 count: 0
selectors
name: 'DNSCLIENT'
auto-negotiate: disable
mode: tunnel
src: 0:172.16.20.0/255.255.255.0:0
dst: 0:10.1.1.0/255.255.255.0:0

Following is the IP-Pool:

LDAPS (IPSec-SNAT) # show
config firewall ippool
    edit "IPSec-SNAT"
        set startip 172.16.20.1
        set endip 172.16.20.254
    next
end

Following is the Virtual-IP:

LDAPS (IPSec-VIP) # show
config firewall VIP
    edit "IPSec-VIP"
        set uuid 100f59c6-be16-51ef-27e3-df074cebf6ad
        set extip 172.16.20.1-172.16.20.254
        set mappedip "192.168.30.1-192.168.30.254"
        set extintf "any"
    next
end

Below is the firewall's outgoing and incoming policy:

LDAPS # config firewall policy
LDAPS (policy) # edit 22
LDAPS (22) # show
    config firewall policy
        edit 22
            set name "vpn_DNSCLIENT_local_0"
            set uuid 4ff37a56-b1a8-51ef-df5e-0c10099a914b
            set srcintf "port4"
            set dstintf "DNSCLIENT"
            set action accept
            set srcaddr "DNSCLIENT_local_subnet_1"
            set dstaddr "DNSCLIENT_remote"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
            set port-preserve disable
            set ippool enable
            set poolname "IPSec-SNAT"
            set comments "VPN: DNSCLIENT (Created by VPN wizard)"
        next
    end
LDAPS (22) # next
LDAPS (policy) # edit 23
LDAPS (23) # show
    config firewall policy
        edit 23
            set name "vpn_DNSCLIENT_remote_0"
            set uuid 4ffa09ac-b1a8-51ef-7569-b06e517ca043
            set srcintf "DNSCLIENT"
            set dstintf "port4"
            set action accept
            set srcaddr "DNSCLIENT_remote"
            set dstaddr "IPSec-VIP"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set comments "VPN: DNSCLIENT (Created by VPN wizard)"
        next
    end 

Below is the session list showing SNAT and DNAT being applied:

LDAPS # diagnose sys session filter dst 10.1.1.3
LDAPS # diagnose sys session list
session info: proto=1 proto_state=00 duration=1 expire=59 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=10.9.15.169/0.0.0.0 vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 62/0 rx speed(Bps/kbps): 62/0
orgin->sink: org pre->post, reply pre->post dev=6->54/54->6 gwy=10.9.15.169/0.0.0.0
hook=post dir=org act=snat 192.168.30.2:1->10.1.1.3:8(172.16.20.239:24731)
hook=pre dir=reply act=dnat 10.1.1.3:24731->172.16.20.239:0(192.168.30.2:1)
src_mac=00:4f:72:6e:33:02
misc=0 policy_id=22 pol_uuid_idx=15828 auth_info=0 chk_client_info=0 vd=0
serial=6e55fc7d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session: 1