Re: Fortigate VPN with Stormshield VTI Virtual Tunneling Interface
If you run packet capture on a FGT specifying a tunnel interface, I think it captures packets before ESP encryption/after ESP decryption. If you want to capture ESP encrypted packets, you need to insert a switch with port mirroring and hook up a laptop to it to see packets between two FWs.
Based on the diagram, I think the problem is the unwanted destinations are reachable without the tunnel. Since this seems to be a test/lab environment, just make sure the unwanted destinations' routes don't exist including the default route to the other side. Then set routes only for the desired destinations INTO the tunnel on both ends.