I have found that FortiOS v6+ has slightly different/broken functionality when handling policy routes across VPN tunnels (phase1/2-interface). In v5 you could create a policy route pointing to the tunnel interface and leave the gateway address set to 0.0.0.0, and everything worked fine. In v6 however, it appears leaving it as 0.0.0.0 is Fortinet code for please don't use me, i'm stupid.
The fix is pretty simple, assign an IP on both sides on the tunnel interface (just a /30 is fine, i.e. 10.255.255.1/30 and 10.255.255.2/30). Then in the policy routes, reference that IP as the gateway, and it should start working.
Sample Config:
(Note that in this case, the tunnel was to route all internet bound traffic across the VPN, so yours may look different)Firewall 1
config system interface
edit "Corp"
set vdom "root"
set ip 10.153.153.2 255.255.255.255
set type tunnel
set remote-ip 10.3.153.1 255.255.255.252
set interface "wan1"
next
end
config router policy
edit 1
set input-device "internal"
set src "10.2.53.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set gateway 10.153.153.1
set output-device "Corp"
next
end
Firewall 2
config system interface
edit "Remote"
set vdom "root"
set ip 10.153.153.1 255.255.255.255
set type tunnel
set remote-ip 10.3.153.2 255.255.255.252
set interface "wan1"
next
end
config router policy
edit 1
set input-device "internal"
set src "0.0.0.0/0.0.0.0"
set dst "10.2.53.0/255.255.255.0"
set gateway 10.153.153.2
set output-device "Remote"
next
end