Chapter 11 IPsec VPN for FortiOS 5.0 : Gateway-to-gateway configurations : Configuring the two VPN peers : Creating security policies : Creating policy-based VPN security policy
  
Creating policy-based VPN security policy
Define an IPsec security policy to permit communications between the source and destination addresses.
1. Go to Policy > Policy > Policy.
2. Select the Policy Type as VPN and leave the Policy Subtype as IPsec.
3. Complete the following:
Local Interface
Select internal.
The interface that connects to the private network behind this FortiGate unit.
Local Protected Subnet
Select Finance_network when configuring FortiGate_1.
Select HR_network when configuring FortiGate_2.
The address name defined for the private network behind this FortiGate unit.
Outgoing VPN Interface
Select wan1.
The FortiGate unit’s public interface.
Remote Protected Subnet
Select HR_network when configuring FortiGate_1.
Select Finance_network when configuring FortiGate_2.
The address name that you defined in Step  for the private network behind the remote peer.
VPN Tunnel
Select Use Existing and select peer_1 from the VPN Tunnel drop-down list.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
Comments
Bidirectional policy-based VPN policy.
Place VPN policies in the policy list above any other policies having similar source and destination addresses.