FortiOS 7.6 provides a new option in the GUI which configures the necessary setting required to route traffic to the internet through the site-to-site VPN tunnel.

The step-by-step example is given below.

Configure the site-to-site VPN tunnel.

From the Firewall GUI, go to VPN -> VPN Tunnels -> Create New -> select IPsec Tunnel from template, name the tunnel, and select Begin.

At this step, select the Authentication method -> Pre-shared Key -> IKE Version, and Transport type.

In the example, 'Pre-shared Key' has been selected with 'IKE' Version 2 and Transport mode is 'Auto'.

At this step, the Remote site device parameters are configured. In the example, the remote site is Accessible and static over a remote IP address, so this option is being used and the remote device is not Behind NAT or dynamic. The option to Route this device's internet traffic through the remote site can be enabled.

Once the option Route this device's internet traffic through the remote site is enabled, the option for Remote site subnets that can access VPN does not appear since the destination is the internet.

Hover the mouse over the Information icon. It will display the message given at the screen shot below.

The Outgoing Interface and the Local subnet is configured at this stage.

The Local Gateway needs to be configured since the local traffic will be routed over the VPN tunnel.

For the final steps, review the configuration and then submit.

The Tunnel is created and shows at the GUI.

On the Remote FortiGate, select the following configuration options shown in the screenshot. In the Remote Firewall Internet Traffic is routing through, this device should remain disabled, since the other Firewall's internet traffic will be traversing through this Firewall and not the other way around.

Enable the option Allow remote site's internet traffic through this device  This will configure a Firewall policy automatically to route the remote Firewall traffic through this device and through the specified Shared WAN. At this example we used Port 2.

After, select Next, review the configuration template, and complete the setup.

Three Firewall Policies got generated automatically after completion of the configuration.

One Policy is for traffic coming from the Remote site and the other is for traffic going to the remote site, and the third policy is for the internet traffic.

Note that the Policy that is configured for Internet Traffic is all, as the remote IP address as the destination address and NAT is enabled.

Related article for troubleshooting IPsec tunnel:

Troubleshooting Tip: IPsec VPN tunnels.