Creating branch_2 route-based security policies

Chapter 11 IPsec VPN for FortiOS 5.0 : Dynamic DNS configuration : Configure the dynamically-addressed VPN peer : Configuring branch_2 security policies : Creating branch_2 route-based security policies

Define ACCEPT security policies to permit communication between the branch_2 and branch_1 private networks. Once the route-based policy is configured a routing entry must be configured to route traffic over the VPN interface.

Define a policy to permit the branch_2 local FortiGate unit to initiate a VPN session with the branch_1 VPN peer.

To create route-based security policies

1. Go to Policy > Policy > Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information, and select OK.


Incoming Interface	Select internal. The interface that connects to the private network behind this FortiGate unit.
Source Address	Select branch_2_internal. Select the address name for the private network behind this FortiGate unit.
Outgoing Interface	Select branch_2. The VPN Tunnel (IPsec Interface).
Destination Address	Select branch_1_internal. The address name the private network behind the remote peer.
Action	Select ACCEPT.
Enable NAT	Disable.
Comments	Route-based: Initiate a branch_2 to branch_1 VPN tunnel.

Define a policy to permit the branch_1 remote VPN peer to initiate VPN sessions.

1. Select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information, and select OK.


Incoming Interface	Select branch_2. The VPN Tunnel (IPsec Interface).
Source Address	Select branch_1_internal. The address name for the private network behind the remote peer.
Outgoing Interface	Select internal. The interface connecting the private network behind this FortiGate unit.
Destination Address	Select branch_2_internal. The address name for the private network behind this FortiGate unit.
Action	Select ACCEPT.
Enable NAT	Disable.
Comments	Route-based: Initiate a branch_1 to branch_2 internal VPN tunnel.

4. Optionally configure any other security policy settings you require such as UTM or traffic shaping for this policy.

5. Place these policies in the policy list above any other policies having similar source and destination addresses. This will ensure VPN traffic is matched against the VPN policies before any other policies.

To create routing entry for VPN interface - CLI

config router static

edit 5

set dst 0.0.0.0 0.0.0.0

set dynamic-dateway enable

set device wan1

end

This routing entry must be added in the CLI because the dynamic-gateway option is not available in the web-based manager.