Requirement:

Access multiple remote client hosts (not entire remote LAN) over VPN and presenting local clients as single IP of 61.x.x.x. This is to comply with security imposed by remote client's CISCO ASR. See pic below for requirement.

Following existing fortinet doco http://cookbook.fortinet.com/vpn-overlapping-subnets/ , I am only able to successfully established a routed VPN between the gateways 219.x.x.x <>185.x.x.x, using the "Site to Site - Cisco" wizard template then converted to custom VPN. Attempts to manually setting up the tunnel without converting from the template actually didn't work, despite matching all configuration!

My local LAN 192.168.0.x clients will need to access a number of specific remote hosts e.g 10.1.x.x and 10.2.x.x.

Below are the Policies modified from the fortigate autocreated ones:

edit 45         set srcintf "internal"         set dstintf "VPN-Phase1"         set srcaddr "Local LAN"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set natip 66.x.x.x 255.255.255.255     next     edit 46         set srcintf "VPN-Phase1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "Local LAN"         set action accept         set schedule "always"         set service "ALL"         set nat enable         set fixedport enable

Static routes to the remote hosts are also being set:

next     edit 13         set dst 10.1.x.x 255.255.255.255         set device "VPN-Phase1"     next     edit 14         set dst 10.2.x.x 255.255.255.255         set device "VPN-Phase1"

At the moment, the VPN tunnel will come up with no problem, but no traffic will passthrough. Traceroute shows that it didn't go any further than the fortigate's local LAN gateway.

I have also read through an almost identical thread https://forum.fortinet.com/tm.aspx?m=104484 but the details were scarce so I am at a lost of what else may be missing.