Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the spokes : Configuring security policies for spoke-to-spoke communication : Route-based VPN security policy
  
Route-based VPN security policy
Define two security policies to permit communications to and from the other spokes.
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter these settings in particular:
Incoming Interface
Select the virtual IPsec interface you created.
Source Address
Select the spoke address group you defined in Step 1.
Outgoing Interface
Select the spoke’s interface to the internal (private) network.
Destination Address
Select this spoke’s address name.
Action
Select ACCEPT.
Enable NAT
Enable
4. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:
Incoming Interface
Select the spoke’s interface to the internal (private) network.
Source Address
Select this spoke’s address name.
Outgoing Interface
Select the virtual IPsec interface you created.
Destination Address
Select the spoke address group you defined in Step 1.
Action
Select ACCEPT.
Enable NAT
Enable