Define the security policies
security policies control all IP traffic passing between a source address and a destination address. For a route-based VPN, the policies are simpler than for a policy-based VPN. Instead of an IPSEC policy, you use an ACCEPT policy with the virtual IPsec interface as the external interface.
Before you define security policies, you must first define firewall addresses to use in those policies. You need addresses for:
• the HR network behind FortiGate_1
• the aggregate subnet address for the protected networks
To define the IP address of the HR network behind FortiGate_1
1. Go to Firewall Objects > Address > Addresses.
2. Select Create New, enter the following information, and select OK:
Name | Enter an address name (for example, HR_Network). |
Type | Subnet |
Subnet/IP Range | Enter the IP address of the HR network behind FortiGate_1
(for example, 10.1.0.0/24). |
To specify the IP address the aggregate protected subnet
1. Go to Firewall Objects > Address > Addresses.
2. Select Create New, enter the following information, and select OK:
Address Name | Enter an address name (for example, Spoke_net). |
Type | Subnet |
Subnet/IP Range | Enter the IP address of the aggregate protected network, 10.1.0.0/16 |
To define the security policy for traffic from the hub to the spokes
1. Go to Policy > Policy > Policy. and select Create New,
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface | Select the interface to the HR network, port 1. |
Source Address | Select HR_Network. |
Outgoing Interface | Select the virtual IPsec interface that connects to the spokes, toSpokes. |
Destination Address | Select Spoke_net. |
Action | Select ACCEPT. |
Place the policy in the policy list above any other policies having similar source and destination addresses.