(phase2-interface) # show
config vpn ipsec phase2-interface
set phase1name "XXX-VPN"
set proposal aes256-sha256
set dhgrp 14
set keepalive enable
set keylifeseconds 3600
set src-subnet 192.168.99.0 255.255.255.255
set dst-subnet 172.16.1.0 255.255.255.0
Interface-IP on XXX-VPN is: 192.168.99.1
Firewall-Policy is: Allow everything to XXX-VPN WITH NAT.
The diag vpn tunnel list and review the IPSEC-SAs and counters would be a start . You probably have one-way IPSEC-SAs and encrypt only and no decrypt on traffic sent to 192.168.99.1 ( You had 192.268.99.1 in your typed screen btw )
I would double the IPSEC-SA and ensure match SPI and correct proxy-ids
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.