Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Dynamic spokes configuration example : Configure the hub (FortiGate_1) : Configure communication between spokes
  
Configure communication between spokes
Spokes communicate with each other through the hub. You need to configure the hub to allow this communication. An easy way to do this is to create a zone containing the virtual IPsec interfaces even if there is only one, and create a zone-to-zone security policy.
To create a zone for the VPN
1. Go to System > Network > Interfaces.
2. Select the down-arrow on the Create New button and select Zone.
3. In the Zone Name field, enter a name, such as Our_VPN_zone.
4. Select Block intra-zone traffic.
You could enable intra-zone traffic and then you would not need to create a security policy. But, you would not be able to apply UTM features.
5. In Interface Members, select the virtual IPsec interface, toSpokes.
6. Select OK.
To create a security policy for the zone
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter these settings:
Incoming Interface
Select Our_VPN_zone.
Source Address
Select All.
Outgoing Interface
Select Our_VPN_zone.
Destination Address
Select All.
Action
Select ACCEPT.
Enable NAT
Enable.
4. Select OK.