The rules in this example allow protected hosts to open connections both ways. Two rules are created here to allow the different directions of traffic separately. 
  
 
	  
 
		 VPN rules are matched based on source, destination, and service like any other rules. 
			Note: This configuration scenario does not explain all settings related to VPN Access rules. 
 
		 For more details about the product and how to configure features, click Help or
            press F1.
 For more details about the product and how to configure features, click Help or
            press F1.
 
	 
 
	 Steps
- 
                Select  Configuration. Configuration.
- 
				Browse to .
			
- 
				Right-click the Engine policy that is used by the Secure SD-WAN Engines involved in the VPN, then select Edit Engine
						Policy.
			
-  
		  Add two IPv4 Access rules in a suitable location in the policy. 
		   
		   
			  
				- Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic the Allow, Discard, or
								Refuse action. 
- Traffic that you do not want to send through the VPN must not match these rules. Traffic that is not routable through the VPN is dropped if it matches these rules. 
 
 
- 
				Fill in the rules as outlined here. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied. 
				
					
Table 1. Example VPN rules
								
									| Source | Destination | Service | Action |  
									| Local internal networks | Remote internal networks | Set as needed. | Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select a
											Policy-Based SD-WAN. |  
									| Remote internal networks | Local internal networks | Set as needed. | Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select a
											Policy-Based SD-WAN. |  
 
 
-  
		  Save the policy. 
		   
		   
			 CAUTION: If you continue to use this VPN, change the pre-shared key periodically (for example, monthly) to guarantee continued confidentiality of your data. Alternatively, you can
						switch to certificate-based authentication by creating a custom VPN profile.  
 
- 
				Refresh the policies of all engines involved in the VPN to activate the new configuration. 
			
Result
 The VPN is established when traffic matches the Access rules created here. Example VPN configuration 2 is now complete.