Policy & Objects : VPN Console : VPN security policies : Defining policy addresses
 
Defining policy addresses
A VPN tunnel has two end points. These end points may be VPN peers such as two FortiGate gateways. Encrypted packets are transmitted between the end points. At each end of the VPN tunnel, a VPN peer intercepts encrypted packets, decrypts the packets, and forwards the decrypted IP packets to the intended destination.
You need to define firewall addresses for the private networks behind each peer. You will use these addresses as the source or destination address depending on the security policy.
In general:
In a gateway-to-gateway, hub-and-spoke, dynamic DNS, redundant-tunnel, or transparent configuration, you need to define a policy address for the private IP address of the network behind the remote VPN peer.
In a peer-to-peer configuration, you need to define a policy address for the private IP address of a server or host behind the remote VPN peer.