Chapter 11 IPsec VPN for FortiOS 5.0 : Dynamic DNS configuration : Configure the fixed-address VPN peer : Configuring branch_1 security policies : Creating branch_1 route-based security policies
  
Creating branch_1 route-based security policies
Define an ACCEPT security policy to permit communications between the source and destination addresses. See “Defining VPN security policies”.
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK.
Incoming Interface
Select internal. The interface that connects to the private network behind the branch_1 FortiGate unit.
Source Address
Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Outgoing Interface
Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Destination Address
Select branch_2_internal. The address name that you defined for the private network behind the branch_2 peer.
Action
Select ACCEPT.
Enable NAT
Disable
Comments
Internal -> branch2
To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK.
Incoming Interface
Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Source Address
Select branch_2_internal. The address name that you defined for the private network behind the branch_2 remote peer.
Outgoing Interface
Select internal. The interface that connects to the private network behind this FortiGate unit.
Destination Address
Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Action
Select ACCEPT.
Enable NAT
Disable
Comments
branch_2 -> Internal