Fortinet FortiGate 50A Installation And Configuration Manual page 200

IPSec VPN concentrators
200
4 Add a separate outbound encrypt policy for each remote VPN spoke. These policies
control the encrypted connections initiated by the local VPN spoke.
The encrypt policy must include the appropriate source and destination addresses
and the tunnel added in step 1. Use the following configuration:
Source The local VPN spoke address.
Destination The remote VPN spoke address.
Action ENCRYPT
VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt
policies.)
Allow inbound Do not enable.
Allow outbound Select allow outbound
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See "Adding an encrypt policy" on page
5 Add an inbound encrypt policy. This policy controls the encrypted connections initiated
by the remote VPN spokes.
The encrypt policy for the hub must include the appropriate source and destination
addresses and the tunnel added in step 1. Use the following configuration:
Source The local VPN spoke address.
Destination External_All
Action ENCRYPT
VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt
policies.)
Allow inbound Select allow inbound.
Allow outbound Do not enable.
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See "Adding an encrypt policy" on page
6 Arrange the policies in the following order:
• outbound encrypt policies
• inbound encrypt policy
• default non-encrypt policy (Internal_All -> External_All)
Note: The default non-encrypt policy is required to allow the VPN spoke to access other
networks, such as the Internet.
195.
195.
IPSec VPN
Fortinet Inc.