Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the spokes : Configuring security policies for hub-to-spoke communication : Route-based VPN security policy
  
Route-based VPN security policy
Define two security policies to permit communications to and from the hub.
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter these settings:
Incoming Interface
Select the virtual IPsec interface you created.
Source Address
Select the hub address you defined in Step 1.
Outgoing Interface
Select the spoke’s interface to the internal (private) network.
Destination Address
Select the spoke addresses you defined in Step 2.
Action
Select ACCEPT.
Enable NAT
Enable
 
Incoming Interface
Select the spoke’s interface to the internal (private) network.
Source Address
Select the spoke address you defined in Step 1.
Outgoing Interface
Select the virtual IPsec interface you created.
Destination Address
Select the hub destination addresses you defined in Step 2.
Action
Select ACCEPT.
Enable NAT
Enable