Define the hub-spoke security policies
1. Define a name for the address of the private network behind the hub. For more information, see Defining VPN security policies on page 1648.
2. Define names for the addresses or address ranges of the private networks behind the spokes. For more information, see Defining VPN security policies on page 1648.
3. Define the VPN concentrator. See To define the VPN concentrator on page 1676.
4. Define security policies to permit communication between the hub and the spokes. For more information, see Defining VPN security policies on page 1648.
Route–based VPN security policies
Define ACCEPT security policies to permit communications between the hub and the spoke. You need one policy for each direction.
To add policies
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter these settings in particular:
Incoming Interface Select the VPN Tunnel (IPsec Interface) you configured in Step 1.
Source Address Select the address name you defined in Step 2 for the private network behind the spoke FortiGate unit.
Outgoing Interface Select the hub’s interface to the internal (private) network.
Destination Address Select the source address that you defined in Step 1.
Action Select ACCEPT.
Enable NAT Enable.
Incoming Interface Select the VPN Tunnel (IPsec Interface) you configured inStep 1.
Source Address Select the address name you defined in Step 2 for the private network behind the spoke FortiGate units.
Outgoing Interface Select the source address that you defined in Step 1.
Destination Address Select the hub’s interface to the internal (private) network.
Action Select ACCEPT.
Enable NAT Enable.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!