emnoc states the reason why you will have to use VIPs (destination NAT) and not IP pools (source NAT): with a VIP the (local) Fortigate will proxy-arp for the remote host so that an arp broadcast will succeed. If you only source NAT in DC#2 local broadcasts will remain local and not cross the tunnel. Just an idea to save some work: what if you leave the DNS setting on the migrated servers as .1.2 and create a VIP .1.2 -> .1.200 and assign .1.200 to your DNS (as secondary address)? This way you could keep the old DNS setting, keep the DNS primary address and have DNS cross the tunnel. Just my 2 ct, on the fly.

Thanks for your answer. I tried to do that, but with no luck so far. Example : My DC on Datacenter1 is IP 192.168.1.1 My server on Datacenter2 is IP 192.168.1.2 and has DNS/DC pointing to 192.168.1.1 In my firewall on Datacenter2, I added a new VIP 10.10.0.2 pointing to 192.168.1.2 I also added an IP Pool of 10.10.0.2 Then on my policy, I enabled NAT and asked to use 10.10.0.2 as the NAT IP. Is it the correct way to do ? I could do it with SNAT I guess, I only need that my servers in Datacenter2 be able to reach the DC until everything gets migrated. From Datacenter1, there is no need that the servers needs to access Datacenter2 servers.

You would be employing DNAT on the FGT in DC#2! External IF: internal Mapped-to IF: tunnel2DC1 external IP: 192.168.1.2 mapped to IP: 192.168.1.200 (yes, identical subnet BUT on tunnel interface) And in DC#1: DNS primary IP: 192.168.1.2 secondary IP : 192.168.1.200 where .1.200 is any arbitrary unused IP address from the SAME subnet. Reason: this subnet already gets transported across the tunnel if the QM selectors are set right. There is no need to configure anything (any NAT) on the FGT of DC#1. The FGT will send the reply traffic down the tunnel back to DC#2 because of the proxy IDs used. Just give it a try.

Ok, so this what I' ve done so far : Added Virtual IP on Fortigate2 as you said : External Interface : SERVERS_Interface (Internal) External IP : 192.168.1.1 Mapped to : 192.168.1.200 Added static route to 192.168.1.200 to pass thought the IPSEC Tunnel Added IP 192.168.1.200 as secondary IP on my server in Datacenter1 From fortigate on Datacenter2 I am able to ping both IPs of the Datacenter1 server. But still, from my server in Datacenter2 I am still unable to ping servers in Datacenter1. This what I get in the debug flow when I try to ping my DNS on Datacenter1 from Datacenter2 (192.168.1.20 is my test server located in Datacenter2, where I am trying to ping from) : Fortigate2 : id=36871 trace_id=477 msg=" vd-root received a packet(proto=1, 192.168.1.20:512->192.168.1.1:8) from OLD_SRV-NET." id=36871 trace_id=477 msg=" Find an existing session, id-00fc9ed5, original direction" id=36871 trace_id=477 msg=" enter fast path" id=36871 trace_id=477 msg=" DNAT 192.168.1.1:8->192.168.1.200:512" id=36871 trace_id=477 msg=" enter IPsec interface-OCC_IPSEC_SDB" id=36871 trace_id=477 msg=" encrypted, and send to [FORTIGATE1_ISP_PUBLIC_IP] with source [FORTIGATE2_ISP_PUBLIC_IP]" id=36871 trace_id=477 msg=" send to [FORTIGATE2_ISP_PUBLIC_IP] via intf-wan2" Fortigate1 : id=13 trace_id=233 msg=" vd-root received a packet(proto=1, 192.168.1.20:512->192.168.1.200:8) from IPSEC_SDB." id=13 trace_id=233 msg=" allocate a new session-0e8fa28c" id=13 trace_id=233 msg=" find a route: gw-192.168.1.200 via ONE-OLD_SRV-Net" id=13 trace_id=233 msg=" use addr/intf hash, len=2" id=13 trace_id=233 msg=" Allowed by Policy-320:" In my IPSEC definition, I have created a phase2 without any Quick Selector. I then tried to add another phase with source IP 192.168.1.1 and destination 192.168.1.20 on my Fortigate1, and the opposite in Fortigate2 (Soure 192.168.1.20, dest 192.168.1.1). But no luck

Have you noticed that you translate .1.2 but ping .1.1?

Sorry, this was a typo mistake, I am mapping 192.168.1.1 (Which is the DomainController I need to reach and that is still located on Datacenter1, while some of my servers are already moved to Datacenter2).

Hi Another option besides NAT is Proxy Arp, there is a KB article here: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=12017&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=60519146&stateId=0%200%2060517437 Example is for an old version but it still applies on newer firmware.