According to article 197368 "Technical Tip: How to configure VPN for multiple subnets " It is necessary to only configure one (1) subnet per Phase 2 tunnel..
In my case that becomes very difficult because I have tunnels with more than 20 subnets (source as destination). I wonder if Is it possible to use "Named Address" objects with multiple subnets as members?
Here I am again. That took a while, but we tested the named address option instead of separate subnets. That works perfectly.
But everywhere we have a named address with multiple subnets we see a down entry on phase 2 selector. An SA entry is made for each subnet, but there is also a SA entry for all subnets in the named address. The SA entry with with all subnets is down in the phase2 selector.
Just a hint: if you use an address group, you could use the same address group both in the policy and in a static route pointing to the tunnel. As a prerequisite, each address must be marked as "routeable". If all addresses are routeable, then the address group is as well.
If the option to make an address routeable is greyed out, add it in CLI:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.