On the FGT you will craft a route-base- vpn and specify the SRC/DST subnet like any other route-based vpn solution.
Ensure the proposal matches for FGT and F5 side of things, also don't forget the route for the destination network at the F5 and the target local-subnet.
config router static
set dst 10.52.132.250/32
set dev f5
Now on the f5 side of things we need todo the following;
- set up a layer3 forwarding VIP
- define the phase1 parameter ( remote-gw, proposal, df-grps, ask,etc...)
- define a ipse-policy name with the proposal
- and a traffic-selector
Here's these steps;
PHASE1 aka ikeparameters for the IKE-SA
TRAFFIC_SELECTOR FOR ENCRYPTION of the SecurityAssociations
NOTE: !!!!!!! The local/remote subnets needs to match the fortigate dat/src-subnets exactly !!!!!!.
Layer3 forwarding VIP
And finally use the local raccoon.log for the diagnostic on the f5 appliance
SPIs are bi-directional the FGT-outbound SA will be the f5-inbound SA and vice-versa.
You can use the WebGUI ipsec-diagnostic for any details & for displaying these diagnostics, but the raccoon.log provides a better diagnostic-details and with tunnel creation times, errors and warnings.