Fortinet FortiGate 50A User Manual
Page 200
200
Fortinet Inc.
IPSec VPN concentrators
IPSec VPN
4
Add a separate outbound encrypt policy for each remote VPN spoke. These policies
control the encrypted connections initiated by the local VPN spoke.
The encrypt policy must include the appropriate source and destination addresses
and the tunnel added in step
1
. Use the following configuration:
See
“Adding an encrypt policy” on page 195
.
5
Add an inbound encrypt policy. This policy controls the encrypted connections initiated
by the remote VPN spokes.
The encrypt policy for the hub must include the appropriate source and destination
addresses and the tunnel added in step
1
. Use the following configuration:
See
“Adding an encrypt policy” on page 195
.
6
Arrange the policies in the following order:
• outbound encrypt policies
• inbound encrypt policy
• default non-encrypt policy (Internal_All -> External_All)
Source
The local VPN spoke address.
Destination
The remote VPN spoke address.
Action
ENCRYPT
VPN Tunnel
The VPN tunnel name added in step
1
. (Use the same tunnel for all encrypt
policies.)
Allow inbound Do not enable.
Allow outbound Select allow outbound
Inbound NAT
Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
Source
The local VPN spoke address.
Destination
External_All
Action
ENCRYPT
VPN Tunnel
The VPN tunnel name added in step
1
. (Use the same tunnel for all encrypt
policies.)
Allow inbound Select allow inbound.
Allow outbound Do not enable.
Inbound NAT
Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
Note: The default non-encrypt policy is required to allow the VPN spoke to access other
networks, such as the Internet.