Allowing SSL VPN users over IPsec is easily achievable by referring to SSL VPN to IPsec VPN - FortiGate administration guide.

Sometimes, the Remote side accepts traffic only from certain IP addresses.

Consider the following example:

192.168.15.2------FGT(local)-----172.16.1.1----===IPsec====-----FGT(remote)---- 192.168.16.2

• In this scenario, the remote FortiGate only accepts the traffic from 172.16.1.1.
• So when sending the traffic out from the Local FortiGate to the remote FortiGate, traffic should be NATed.

There are two methods to achieve this, and both are explained in Technical Tip: Implement Source-NAT for IPsec interface.

In this particular scenario, where the SSL VPN subnet needs access to the resource across the other side of the tunnel, the configuration must be set up differently than in the method explained above. 

Follow these steps to allow access:

1. First, configure the Remote IPsec subnet. Policy and objects -> Address -> Create new. 

2. Configure the SSL VPN portal as shown below. In the routing address override section, configure the remote IPsec subnet. In this example, it is 192.168.16.2/24.

3. Map the user group to the portal in SSL VPN settings, as shown below.

4. Finally, create a firewall policy from SSL VPN to IPsec VPN tunnel interface with NAT enabled and use the IP pool as shown below.

Note: In this example, there is no need to specify the selector of the SSL VPN under IPsec Phase-2, as that configuration was taken care of by the IP pool. 

Related documents:

• SSL VPN to IPsec VPN - FortiGate administration guide 
• Technical Tip: Implement Source-NAT for IPsec interface