For every FortiGate on top of the IPsec VPN throughput, maximum values of supported client-to-gateway (also referred to as remote access) IPsec VPN tunnels and gateway-to-gateway (also referred to as site-to-site) IPsec VPN tunnels are published in the datasheet.

IPsec throughput specified can be used for creating gateway-to-gateway (site-to-site) or client-to-gateway (remote access) IPsec VPN tunnels or the combination of both up to the maximum throughput and tunnel quantities specified.  

These numbers are often different based on the example shown below:

The difference lies in the way these two IPsec VPN tunnel modes are configured. The number of gateway-to-gateway (site-to-site) IPsec VPN tunnels is capped by the number of phase1 configurations that can be created for various FortiGates.

For phase1 interface quantity, there is a table size limit for every FortiGate ('config vpn ipsec phase1' for policy-based configs, or the max number of logical interfaces allowed for route-based configs).
The number of client-to-gateway (remote access) IPsec VPN tunnels could potentially be a single phase1-interface configuration (no table size limit reached) + multiple clients, up to the hardware limitations of each FortiGate device like CPU, RAM, etc.

Expanding this into Fortinet SD-WAN topology perspective, gateway-to-gateway, and client-to-gateway IPsec VPN tunnels can be associated with the various configurations in the SD-WAN topology:

• At the HUB, the IPsec VPN tunnel configured to accommodate the Branch VPNs (Overlay tunnels) is often considered a client-to-gateway IPsec VPN, otherwise called Dial-up VPNs (Multiple Branches dial-up to a single or a group of VPN configuration on the HUB). This means that the SD-WAN HUB is mostly limited by the client-to-gateway IPsec VPN tunnel datasheet maximum value.
• At the Branch, the IPsec VPN tunnel configured towards the HUB is considered a gateway-to-gateway IPsec VPN, otherwise called site-to-site VPN. Hence, the Branch to HUB (or multiple HUBs) number of Overlay tunnels is limited by the gateway-to-gateway IPsec VPN tunnel datasheet maximum value.
• For branch-to-branch communication ADVPN IPsec (Dynamic IPsec VPN) is often used, meaning no additional phase1 configurations are created. The number of ADVPN IPsec VPN tunnels at the Branch is limited by the client-to-gateway IPsec VPN tunnel datasheet maximum value.