Using security policies as a concentrator

Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the hub : Configuring communication between spokes (route-based VPN) : Using security policies as a concentrator

To enable communication between two spokes, you need to define an ACCEPT security policy for them. To allow either spoke to initiate communication, you must create a policy for each direction. This procedure describes a security policy for communication from Spoke 1 to Spoke 2. Others are similar.

1. Define names for the addresses or address ranges of the private networks behind each spoke. For more information, see “Defining policy addresses”.

2. Go to Policy > Policy > Policy and select Create New.

3. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

4. Enter the settings and select OK.


Incoming Interface	Select the IPsec interface that connects to Spoke 1.
Source Address	Select the address of the private network behind Spoke 1.
Outgoing Interface	Select the IPsec interface that connects to Spoke 2.
Destination Address	Select the address of the private network behind Spoke 2.
Action	Select ACCEPT.
Enable NAT	Enable.