Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the hub : Define the hub-spoke security policies : Route-based VPN security policies
  
Route-based VPN security policies
Define ACCEPT security policies to permit communications between the hub and the spoke. You need one policy for each direction.
To add policies
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter these settings in particular:
Incoming Interface
Select the VPN Tunnel (IPsec Interface) you configured in Step 1.
Source Address
Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit.
Outgoing Interface
Select the hub’s interface to the internal (private) network.
Destination Address
Select the source address that you defined in Step 1.
Action
Select ACCEPT.
Enable NAT
Enable.
 
Incoming Interface
Select the VPN Tunnel (IPsec Interface) you configured in Step 1.
Source Address
Select the address name you defined in Step 2 for the private network behind the spoke FortiGate units.
Outgoing Interface
Select the source address that you defined in Step 1.
Destination Address
Select the hub’s interface to the internal (private) network.
 
Action
Select ACCEPT.
Enable NAT
Enable.