Configuring security policies

• Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.

• Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.

1. Define an ACCEPT firewall security policy to permit communications between the protected network and the GRE tunnel:


Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Source Address	All
Outgoing Interface	Select the GRE tunnel virtual interface you configured.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable

2. To permit the remote client to initiate communication, you need to define a firewall address security policy for communication in that direction:


Incoming Interface	Select the GRE tunnel virtual interface you configured.
Source Address	All
Outgoing Interface	Select the interface that connects to the private network behind this FortiGate unit.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable

3. Define a pair of ACCEPT firewall address security policies to permit traffic to flow between the GRE virtual interface and the IPsec virtual interface:


Incoming Interface	Select the GRE virtual interface. See “Configuring the GRE tunnel”.
Source Address	All
Outgoing Interface	Select the virtual IPsec interface you created. See “Configuring the IPsec VPN”.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable


Incoming Interface	Select the virtual IPsec interface you created. See “Configuring the IPsec VPN”.
Source Address	All
Outgoing Interface	Select the GRE virtual interface. See “Configuring the GRE tunnel”.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable