Re: IPsec with local IP different than subnet range.
Either of those VIPs should work with NAT off on the policy. I would set VIP only for "ALL_ICMP" as well as the policy then run sniffer "diag sniffer packet any 'host SOURCE_IP_COMING_FROM' 4" at the FGT while pinging from the remote end. If you see it's coming in from the VPN and going out to the internal interface, the problem is on the VM side, not accepting the source IP. If you see coming in but not going out, you need to run "flow debug (diag debug flow)" to see why it's dropped by the FGT.