Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the spokes : Configuring security policies for hub-to-spoke communication : Policy-based VPN security policy
  
Policy-based VPN security policy
Define an IPsec security policy to permit communications with the hub. See “Defining VPN security policies”.
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type as VPN and leave the Policy Subtype as IPsec.
3. Enter these settings in particular:
Local Interface
Select the spoke’s interface to the internal (private) network.
Local Protected Subnet
Select the spoke address you defined in Step 1.
Outgoing VPN Interface
Select the spoke’s interface to the external (public) network.
Remote Protected Subnet
Select the hub address you defined in Step 2.
VPN Tunnel
Select Use Existing and select the name of the phase 1 configuration you defined.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.