Chapter 11 IPsec VPN for FortiOS 5.0 : FortiGate dialup-client configurations : Configure the server to accept FortiGate dialup-client connections : Policy-based VPN security policy
  
Policy-based VPN security policy
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type of VPN and leave the Policy Subtype as IPsec.
3. Enter these settings in particular:
Local Interface
Select the interface that connects to the private network behind this FortiGate unit.
Local Protected Subnet
Select the address name that you defined in Step 3 for the private network behind this FortiGate unit.
Outgoing VPN Interface
Select the FortiGate unit’s public interface.
Remote Protected Subnet
Select the address name that you defined in Step 3.
VPN Tunnel
Select Use Existing and select the name of the phase 1 configuration that you created in Step 1. from the drop-down list.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
Clear Allow outbound to prevent traffic from the local network from initiating the tunnel after the tunnel has been established.
4. To prevent traffic from the local network from initiating the tunnel after the tunnel has been established, you need to disable the outbound VPN traffic in the CLI
config firewall policy
edit <policy_number>
set outbound disable
end
Place the policy in the policy list above any other policies having similar source and destination addresses.
If configuring a route-based policy, configure a default route for VPN traffic on this interface.