Chapter 11 IPsec VPN for FortiOS 5.0 : Gateway-to-gateway configurations : How to work with overlapping subnets : Solution for route-based VPN
  
Solution for route-based VPN
You need to:
Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In this example, the resulting IPsec interface is named FGT1_to_FGT2.
Configure virtual IP (VIP) mapping:
the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1
the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2
Configure an outgoing security policy with ordinary source NAT on both FortiGates.
Configure an incoming security policy with the VIP as the destination on both FortiGates.
Configure a route to the remote private network over the IPsec interface on both FortiGates.
To configure VIP mapping on both FortiGates
1. Go to Firewall Objects > Virtual IPs > Virtual IPs and select Create New.
2. Enter the following information, and select OK:
Name
Enter a name, for example, my_vip.
External Interface
Select FGT1_to_FGT2. The IPsec interface.
Type
Static NAT
External IP Address/Range
For the external IP address field enter:
10.21.101.1 when configuring FortiGate_1, or
10.31.101.1 when configuring FortiGate_2.
Mapped IP Address/Range
For the Mapped IP Address enter 10.11.101.1.
For the Range enter 10.11.101.254.
Port Forwarding
Disable
Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the outbound security policy on both FortiGates
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface
Select Port 1.
Source Address
Select all.
Outgoing Interface
Select FGT1_to_FGT2.
The IPsec interface.
Destination Address
Select all.
Action
Select ACCEPT
Enable NAT
Enable
Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the inbound security policy on both FortiGates
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and then select OK:
Incoming Interface
Select FGT1_to_FGT2.
Source Address
Select all.
Outgoing Interface
Select Port 1.
The IPsec interface.
Destination Address
Select my-vip.
Action
Select ACCEPT
Enable NAT
Disable
Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the static route for both FortiGates
1. Go to Router > Static > Static Routes and select Create New.
For low-end FortiGate units, go to System > Network > Routing and select Create New.
2. Enter the following information, and then select OK:
Destination IP / Mask
Enter 10.31.101.0/24 when configuring FortiGate_1.
Enter 10.21.101.0/24 when configuring FortiGate_2.
Device
Select FGT1_to_FGT2.
Gateway
Leave as default: 0.0.0.0.
Distance (Advanced)
Leave at default.
If you have advanced routing on your network, you may have to change this value