Chapter 10 IPsec VPN : Gateway-to-gateway configurations : Configuring the two VPN peers : Creating security policies : Creating route-based VPN security policies
  
Creating route-based VPN security policies
Define an ACCEPT security policy to permit communications between the source and destination addresses.
To create route-based VPN security policies
1. Go to Policy & Objects > Policy > IPv4 and select Create New
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following, and select OK.
Incoming Interface
Select internal.
The interface that connects to the private network behind this FortiGate unit.
Source Address
Select Finance_network when configuring FortiGate_1.
Select HR_network when configuring FortiGate_2.
The address name for the private network behind this FortiGate unit.
Outgoing Interface
Select peer_1.
The VPN Tunnel (IPsec Interface) you configured earlier.
Destination Address
Select HR_network when configuring FortiGate_1.
Select Finance_network when configuring FortiGate_2.
The address name that you defined for the private network behind the remote peer.
Action
Select ACCEPT.
Enable NAT
Disable.
Comments
Allow Internal to remote VPN network traffic.
4. Optionally, configure any additional features you may want, such as UTM or traffic shaping.
5. Select Create New to create another policy for the other direction.
6. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
7. Enter the following information, and select OK.
Incoming Interface
Select peer_1.
The VPN Tunnel (IPsec Interface) you configured.
Source Address
Select HR_network when configuring FortiGate_1.
Select Finance_Network when configuring FortiGate_2.
The address name defined for the private network behind the remote peer.
Outgoing Interface
Select internal.
The interface that connects to the private network behind this FortiGate unit.
Destination Address
Select Finance_Network when configuring FortiGate_1.
Select HR_network when configuring FortiGate_2.
The address name defined for the private network behind this FortiGate unit.
Action
Select ACCEPT.
Enable NAT
Disable.
Comments
Allow remote VPN network traffic to Internal.
8. Configure any additional features such as UTM or traffic shaping you may want. (optional).