Hello, I have a IPSEC tunnel which is showing UP but I cannot ping or access the needed website though the tunnel.  I am connecting to a City VPN which uses a Checkpoint Firewall.  They require me to Source Nat to protect them from subnet overlap.  I have read a million manuals and spent days in forums, blogs and various tutorials to no avail.  It appears the traffic is moving into the tunnel but I get no response.

I have configured source Nat from my public interface address.  - I have other public IP's if they must be used.  The interface IP seemed easiest.  Also I am using Policy mode.  I know route mode is better, but I cannot find any documentation on source NAT for that vpn type.  My config is below.  Any help might just keep the two hairs I have left in place.

** Note ** I would love to convert this into a route based VPN, but have no idea how to do Source Nat.  VIPs don't make sense when the traffic is initiated from the Wan interface.  I must be missing something.

All IPs have been cleansed.

Fortigate 100E  Firmware v5.6.2 build1486 (GA

Remote Interface Gateway 178.19.115.184 Remote Subnet 178.19.196.128 255.255.255.128 Local Gateway 88.235.171.66 -This is my WAN Address- Local Subnet 192.168.200.0 255.255.255.0 - Internal Address ** Goal is to have all traffic from Local Subnet NAT to WAN Interface **   config firewall address  edit "VPN-Metro_Local"         set color 4         set allow-routing enable         set subnet 192.168.200.0 255.255.255.0     next     edit "VPN-Metro_Remote"         set color 4         set allow-routing enable         set subnet 178.19.196.128 255.255.255.128  next       config vpn ipsec phase1     edit "Metro_Phase1"         set interface "wan1"         set keylife 28800         set peertype any         set proposal aes256-sha1         set comments "Metro VPN Phase 1"         set dhgrp 2         set remote-gw 178.19.15.84         set psksecret ENC     next end config vpn ipsec phase2     edit "Metro_Phase2"         set phase1name "Metro_Phase1"         set use-natip disable         set proposal aes256-sha1         set pfs disable         set auto-negotiate enable         set comments "Metro VPN Phase 2"         set src-addr-type ip         set src-start-ip 88.235.171.66         set dst-subnet 178.19.196.128 255.255.255.128     next end config firewall policy     edit 15         set name "MetroRMS_Policy_200Net"         set srcintf "lan"         set dstintf "wan1"         set srcaddr "VPN-Metro_Local"         set dstaddr "VPN-Metro_Remote"         set action ipsec         set schedule "always"         set service "ALL"         set logtraffic all         set inbound enable         set natoutbound enable         set vpntunnel "Metro_Phase1"     next end id=20085 trace_id=777 func=print_pkt_detail line=5363 msg="vd-root received a packet(proto=1, 192.168.200.198:1->178.19.196.145:2048) from lan. type=8, code=0, id=1, seq=300." id=20085 trace_id=777 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session, id-00068aef, original direction" id=20085 trace_id=777 func=npu_handle_session44 line=1079 msg="Trying to offloading session from lan to wan1, skb.npu_flag=00000400 ses.state=00050214 ses.npu_state=0x01000000" id=20085 trace_id=777 func=__ip_session_run_tuple line=3164 msg="SNAT 192.168.200.198->88.235.171.66:62464" id=20085 trace_id=777 func=ipsec_tunnel_output4 line=1211 msg="enter IPsec tunnel-MetroRMS_Phase1" id=20085 trace_id=777 func=esp_output4 line=891 msg="IPsec encrypt/auth" id=20085 trace_id=777 func=ipsec_output_finish line=525 msg="send to 88.235.171.65 via intf-wan1"