I want to achieve the same thing and with as little NAT as possible. Unfortunately, so far I can get access from one vdom to internet through the root vdom only when using double NAT. (I had to number the vdom link interfaces with some random intermediate /30 network; without this, I didn't get internet access from inside out.) Port forward from internet (connected to root vdom) to a separate vdom -- also double NAT. Now I will test ipsec tunnel that has been configured to root vdom, how can that separate vdom access that tunnel, with or without NAT. If that needs also NAT, it is almost useless in our case. The workaround with more physical ports does not sound reasonable. I am not sure if I should use that separate vdom in transparent mode, I think then it won't work at all for internet access in different directions. I wonder if I would want to use IPv6 in that separate vdom, do I really have to use NAT also there? But this is not my priority at the moment. (I have a test 60D router wiht FortiOS v5.4.0 on my table which I use for testing.)
Edit: After finding this post https://forum.fortinet.com/tm.aspx?m=125276 and link http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html in it, that helped me to get "stacked" vdoms working without above-mentioned double NAT! Also ipsec tunnel from root vdom was accessible without NAT which is good.
Edit: It turned out that after I removed IP-addresses from intervdom-link interfaces and also in routing tables I used only devices, I mean for IP-addresses of gateways I used 0.0.0.0, it still kept working, even after restarting of the router and the test-computer behind it in the separate new vdom. So portforward from internet & root-vdom to client-vdom worked, connectivity from client-vdom to internet (through root-vdom) and to the other side of ipsec tunnel (which was made in root-vdom) all worked.