Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Configure the spokes : Configuring security policies for spoke-to-spoke communication : Policy-based VPN security policy
  
Policy-based VPN security policy
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type as VPN and leave the Policy Subtype as IPsec.
3. Enter the following:
Local Interface
Select this spoke’s internal (private) network interface.
Local Protected Subnet
Select this spoke’s source address.
Outgoing VPN Interface
Select the spoke’s interface to the external (public) network.
Remote Protected Subnet
Select the spoke address group you defined in Step 1.
VPN Tunnel
Select Use Existing and select the name of the phase 1 configuration you defined.
Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
Place this policy or policies in the policy list above any other policies having similar source and destination addresses.