I' ve seen a couple posts that didn' t seem to resolve this issue and after struggling through it (with help from user Selective), here' s how I was able to get it to work:
1. You have two offices, a headquarters (HQ) and a branch office (BO)
2. You have an interface/route based IPsec VPN between the two offices (that works).
3. You have an SSL-VPN to the HQ that works to the HQ subnets, but not to the BO.
On the BO FG:
Note -- it' s likely that your BO FG is capable of being an SSL-VPN host as well; make sure not to confuse the BO SSL-VPN with the HQ SSL-VPN.
1. Add a Static Route to the HQ SSL-VPN Subnet, Device: IPsec VPN
2. In the IPsec VPN -> Internal Policy, add the HQ SSL-VPN subnet as a source address.
On the HQ FG:
1. In the wan -> internal SSL-VPN policy (where Action is SSL-VPN) add the BO subnet(s) as destination addresses.
2. Add an ssl.root -> IPsec VPN policy with the HQ SSL-VPN Pool as the source address and the BO subnet(s) as the destination address.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.