IPSEC VPN between Cisco ASA and fortigate 80C with public IP endpoints/destinations

I am having a heck of a time getting a VPN setup between a cisco ASA and 80C.

The basics is that I need the VPN to route traffic to a few different public IPs on the remote side with traffic appearing as if it originated from the public IP of my site I.e

Internal>local Public IP>IPSEC tunnel>IPsec remote gateway>remote destination (public IP)

I have been able to get the VPN tunnel up and both phases appear to be online however the fortigate is not routing traffic at all through the VPN tunnel
The remote end says that the traffic appears to be originating from the internet, not the VPN tunnel

This is a policy based VPN if that helps at all

Is this a policy based IPSec tunnel or is it a route based IPSec tunnel?

If it is policy based you need to go into the phase 2:
config vpn ipsec phase2
get (to see the list of phase2’s on the device)
edit PHASE2NAME HERE

and set the “use-natip” (may be usenat-IP not looking at one currently) to disable. This prevents the tunnel from using your wan IP as the source.

then you set the natip and the outbound and inbound nat on the policy you have associated with said Policy based IPSec tunnel.

The only time I’ve been able to consistently get cisco to fortigatell vpns going is to make sure you set the traffic selectors in the VPN definition. It will show up if you have 0.0.0.0 for those but unless you set the selectors for the subnets on either end it doesn’t play nice. I’m not at my machine now, but that’s the pain I remember.

This took us forever to get going us well. The killer was matching the phase1 and phase 2 settings. On ASA, AES means AES-128, SHA means SHA1, etc, etc

Enabling IKE debug helped home in on mismatched parameters.

If you control both ends of the tunnel, I can get you the settings that ended up working for us