Defining security policies for a route-based VPN
When you define a route-based VPN, you create a virtual IPsec interface on the physical interface that connects to the remote peer. You create ordinary Accept security policies to enable traffic between the IPsec interface and the interface that connects to the private network. This makes configuration simpler than for policy-based VPNs, which require IPsec security policies.
To define security policies for a route-based VPN
1. Go to Policy & Objects > Policy > IPv4.
2. Select Create New and leave the Policy Type as Firewall, and the Policy Subtype as Address.
3. Define an ACCEPT security policy to permit communications between the local private network and the private network behind the remote peer. Enter these settings in particular:
Incoming Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Source Address | Select the address name that you defined for the private network behind this FortiGate unit. |
Outgoing Interface | Select the IPsec Interface you configured. |
Destination Address | Select the address name that you defined for the private network behind the remote peer. |
Action | Select ACCEPT. |
Enable NAT | Disable. |
To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.
4. Select Create New and leave the Policy Type as Firewall, and the Policy Subtype as Address
5. Enter these settings in particular:
Incoming Interface | Select the IPsec Interface you configured. |
Source Address | Select the address name that you defined for the private network behind the remote peer. |
Outgoing Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Destination Address | Select the address name that you defined for the private network behind this FortiGate unit. |
Action | Select ACCEPT. |
Enable NAT | Disable. |