Let's consider the following network.

Scenario:

1. The client (192.168.15.2) will communicate with the server (192.168.16.2).
2. IPSec interface is the outgoing interface where source-nat is required to be implemented.

Interface 'to_FGT2' is the IPSec interface at FGT1. By default, no IP-address is assigned to the IPSec interface.

Firewall policy from client to server:

Test to see if the traffic from the client can reach the server.

Ping from client to server – *failed

Check the session on the firewall. FortiGate source-nats the traffic 192.168.15.2 with 10.191.35.112.

Trace flow confirms the above session:

FortiGate basic behavior: it will choose the interface with the lowest index number, since the IPSec interface has no IP address, in this case, 'port1' is chosen. 

The command 'diagnose netlink interface list' can be used to verify the interface index. 

If the FortiGate uses Source-NAT for the IPSEC interface on the HA environment with enabled mgmt and ha interface and if configuring ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT. Refer to the following KB article : 

Technical Tip: For HA environment with enabled mgmt and ha interface, how Source-NAT works for IPsec...

There are at least two workarounds to resolve this situation:

1. Assign an IP address to the IPSec interface.
2. Define an ippool to be used at firewall policy.

Workaround 1: 'Assign an IP address to IPSec interface'.

*Firewall policy stays the same as before.

Workaround 2: 'Define an ippool to be used at firewall policy'.

1. Create IPpool:

2. Assign IPpool to the firewall policy:

If Central NAT is utilized for NAT translation, ensure to configure a central NAT policy to implement SNAT.

Example:

Make sure an IP pool is created before setting up a Central SNAT rule.

To create a Central SNAT:

1. Navigate to Policy & Objects.
2. Select Central SNAT.
3. Select 'Create New' and fill in the following details:

• Incoming Interface: port3 (local LAN interface).
• Outgoing Interface: to_fgt2 (IPsec tunnel name).
• Source Address: to_fgt2_local (local firewall LAN source IP address).
• IP Pool: Select the created IP pool, e.g., 'ippool_for_ipsec'.

CLI configuration : 

config firewall central-snat-map
    edit 1
        set uuid 038f5e3a-f6ce-51ef-585c-3f7d708f8e70
        set srcintf "port3"
        set dstintf "to_FGT2"
        set orig-addr "to_FGT2_local"
        set dst-addr "all"
        set nat-ippool "ippool_for_ipsec"
    next
end

Related article:

Technical Tip: How to configure source port translation using Central SNAT policy

Note:

Make sure that the NATed source IP (172.16.1.1) is included in the phase2 selectors as a local address. Otherwise, the traffic will be dropped with msg="No matching IPsec selector, drop". The phase2 selectors can be verified on the GUI -> VPN -> IPsec Tunnels -> Edit -> Phase 2 Selectors.

Since both workarounds will give us the same result, the results for both tests are here:

Test to see if the traffic from the client can reach the server.

Ping from client to server – *success.

Check session on the firewall: FortiGate source-nats the traffic 192.168.15.2 with 172.16.1.1.

Trace flow confirms the above session:

Conclusion:

• By default, IPSec created will have no IP address (if the outgoing interface is used for source-nat purposes) and FortiGate will choose any ip-address interface with the lowest index.
• There are at least two workarounds to resolve this situation:       
  • Assign an IP address to the IPSec interface.
  • Define an IPpool to be used at the firewall policy.

Related documents:

Site-to-site IPsec VPN with two FortiGate devices

Technical Tip: How to configure SNAT with IP pool

Static SNAT

Technical Tip: How to configure an IPsec tunnel with Overlapping Subnets using VIPs