Creating security policies
Security policies control all IP traffic passing between a source address and a destination address.
An IPsec security policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel.
Before you define security policies, you must first specify the IP source and destination addresses. In a gateway-to-gateway configuration:
• The IP source address corresponds to the private network behind the local FortiGate unit.
• The IP destination address refers to the private network behind the remote VPN peer.
When you are creating security policies, choose one of either route-based or policy-based methods and follow it for both VPN peers. DO NOT configure both route-based and policy-based policies on the same FortiGate unit for the same VPN tunnel.
The configuration of FortiGate_2 is similar to that of FortiGate_1. You must:
• Define the phase 1 parameters that FortiGate_2 needs to authenticate FortiGate_1 and establish a secure connection.
• Define the phase 2 parameters that FortiGate_2 needs to create a VPN tunnel with FortiGate_1.
• Create the security policy and define the scope of permitted services between the IP source and destination addresses.
When creating security policies it is good practice to include a comment describing what the policy does.
When creating security policies you need to be
or