Chapter 11 IPsec VPN for FortiOS 5.0 : Phase 2 parameters : Advanced phase 2 settings : Quick mode selectors
  
Quick mode selectors
Quick Mode selectors determine which IP addresses can perform IKE negotiations to establish a tunnel. By only allowing authorized IP addresses access to the VPN tunnel, the network is more secure.
The default settings are as broad as possible: any IP address or configured address object, using any protocol, on any port.
 
While the drop down menus for specifying an address also show address groups, the use of address groups is not supported.
To made it easy to determine if one of the choices in the drop down menu is an address or an address group the two types of objects have been broken into sections with the address groups at the bottom of the list.
When configuring Quick Mode selector Source Address and Destination address, valid options include IPv4 and IPv6 single addresses, IPv4 subnet, or IPv6 subnet. For more information on IPv6 IPsec VPN, see “Overview of IPv6 IPsec support”.
There are some configurations that require specific selectors:
the VPN peer is a third-party device that uses specific phase2 selectors
the FortiGate unit connects as a dialup client to another FortiGate unit, in which case you must specify a source IP address, IP address range or subnet
With FortiOS VPNs, your network has multiple layers of security, with quick mode selectors being an important line of defence.
Routes guide traffic from one IP address to another.
Phase 1 and phase 2 connection settings ensure there is a valid remote end point for the VPN tunnel that agrees on the encryption and parameters.
Quick mode selectors allow IKE negotiations only for allowed peers.
Security policies control which IP addresses can connect to the VPN.
Security policies also control what protocols are allowed over the VPN along with any bandwidth limiting.