Define the security policies

Chapter 11 IPsec VPN for FortiOS 5.0 : Hub-and-spoke configurations : Dynamic spokes configuration example : Configure the spokes : Define the security policies

You need to define firewall addresses for the spokes and the aggregate protected network and then create a security policy to enable communication between them.

To define the IP address of the network behind the spoke

1. Go to Firewall Objects > Address > Addresses.

2. Select Create New, enter the following information, and select OK:


Address Name	Enter an address name, for example LocalNet.
Type	Subnet
Subnet/IP Range	Enter the IP address of the private network behind the spoke. For spoke_1, this is 10.1.1.0/24. For spoke_2, this is 10.1.2.0/24.

To specify the IP address of the aggregate protected network

1. Go to Firewall Objects > Address > Addresses.

2. Select Create New, enter the following information, and select OK:


Address Name	Enter an address name, for example, Spoke_net.
Type	Subnet
Subnet/IP Range	Enter the IP address of the aggregate protected network, 10.1.0.0/16.

To define the security policy

1. Go to Policy > Policy > Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following and select OK:


Incoming Interface	Select the virtual IPsec interface, toHub.
Source Address	Select the aggregate protected network address Spoke_net.
Outgoing Interface	Select the interface to the internal (private) network, port1.
Destination Address	Select the address for this spoke’s protected network LocalNet.
Action	Select ACCEPT.

4. Select Create New.

5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

6. Enter the following information, and select OK:


Incoming Interface	Select the interface to the internal private network, port1.
Source Address	Select the address for this spoke’s protected network, LocalNet.
Outgoing Interface	Select the virtual IPsec interface, toHub.
Destination Address	Select the aggregate protected network address, Spoke_net.
Action	Select ACCEPT.

Place these policies in the policy list above any other policies having similar source and destination addresses.