Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the hub : Define the hub-spoke security policies : Policy-based VPN security policy
  
Policy-based VPN security policy
Define an IPsec security policy to permit communications between the hub and the spoke.
To add policies
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type as VPN and leave the Policy Subtype as IPsec.
3. Enter these settings in particular:
Local Interface
Select the hub’s interface to the internal (private) network.
Local Protected Subnet
Select the source address that you defined in Step 1.
Outgoing VPN Interface
Select the hub’s public network interface.
Remote Protected Subnet
Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit.
VPN Tunnel
Select Use Existing and select the name of the phase 1 configuration that you created for the spoke in Step 1.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
In the policy list, arrange the policies in the following order:
IPsec policies that control traffic between the hub and the spokes first
the default security policy last