Configuring communication between spokes (route-based VPN)
For a route-based hub-and-spoke VPN, there are several ways you can enable communication between the spokes:
• put all of the IPsec interfaces into a zone and enable intra-zone traffic. This eliminates the need for any security policy for the VPN, but you cannot apply UTM features to scan the traffic for security threats.
• put all of the IPsec interfaces into a zone and create a single zone-to-zone security policy
• create a security policy for each pair of spokes that are allowed to communicate with each other. The number of policies required increases rapidly as the number of spokes increases.