I have a relatively simple setup with two Fortigates directly peering with IPsec over the Internet. I have two subnets on my primary site, configured as subinterfaces, and one subnet on my secondary site (also subinterface).
In order to configure the Phase 2, I created a group of objects containing my two subnets and used Named Addresses on both firewalls.
One subnet from the primary site (let's call it 192.168.1.0/24) can reach the remote site properly and vice-versa. However, the other subnet from my primary site (let's call it 172.16.1.0/24) cannot reach the remote site. Pings from the remote site to both main subnets are working.
From the Forward Traffic log, I can see that the subnet that is not working is not actually using the ACL towards the tunnel, rather it goes through the WAN link, as if it was not using the route I specified in the Phase 2.
I have static routes on both firewalls to allow the communication (two routes on the remote firewall pointing to the VPN's IP, and one route on the main site pointing towards the other side of the VPN.
I have 0 ACL drops on my default rule and have no other drop rules. NAT is deactivated on the rules managing the trafic between the sites. I have tried Policy Routing, creating multiple Phase 2s, removing the working subnet from the Phase 2 and leaving only the broken one, it never goes through the VPN interface.
Any help is welcome, I'll be glad to answer your questions.
Thank you in advance !