Route-based VPN security policies

Chapter 11 IPsec VPN for FortiOS 5.0 : FortiClient dialup-client configurations : Configure the FortiGate unit : Configuring FortiGate unit VPN settings : Route-based VPN security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses.

1. Go to Policy > Policy > Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter these settings in particular:


Incoming Interface	Select the VPN Tunnel (IPsec Interface) you configured in Step 1.
Source Address	Select All.
Outgoing Interface	Select the interface that connects to the private network behind this FortiGate unit.
Destination Address	Select All.
Action	Select ACCEPT.
Enable NAT	Disable.

If you want to allow hosts on the private network to initiate communications with the FortiClient users after the tunnel is established, you need to define a security policy for communication in that direction.

1. Go to Policy > Policy > Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter these settings in particular:


Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Source Address	Select All.
Outgoing Interface	Select the interface that connects to the private network behind this FortiGate unit.
Destination Address	Select All.
Action	Select ACCEPT.
Enable NAT	Disable.