Hi I have a fortigate 200D on which too others VPN arrives. And the two remote VPN to communicate.
On each Phase 2 I declared the adresses from remote sites. And I made a policy rule to authorize VPN1 to VPN2 (and reverse) on the Fortigate 200D...
For spoke-to-spoke, you need to take care of 1) phase2 selectors, 2) routing, and 3) policies at all three parties: HUB, spoke1, and spoke2. Perhaps, the spokes don't have a route into the tunnel to get to the other spoke.
To debug at the hub (200D), you need to disable asic offloading on the policies in CLI (set auto-asic-offload disable). Then you can run sniffer and/or flow debugging.
As I have understood you have two sites which are connected via ipsec tunnels to your 200D FGT, and you want site A to communicate with site B via 200D FGT right?
If so it is very simple you can create an ip-pool on 200D by using a free available IP on your LAN as External IP with type overload. Then create an IPv4 policy for remote LAN A to remote LAN B and under NAT option select the ip-pool you have just created, then clone reverse the policy. Traffic can then propagate between both sites.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.