Skip to main content
RichardH
RichardH
New Member
September 29, 2009
Question

Policy Based or Route Based IPSec VPN?

  • September 29, 2009
  • 6 replies
  • 6859 views
I have 6 sites, I' ll end up with partially meshed topology, should I design my VPN using policy based or route based? I currently have two sites on policy based and have come across issues with dual WAN setup on my 110C. I' m asking the above question looking for next steps before I continue to troubleshoot my routing issues with dual WAN. With route based, I can have partially redundant tunnels... it' s nice to have, but not something I need. Also, to add a bit of background, while reading about route based, the configuration is what I originally expected. For example, I expected to configure routes manually for each VPN tunnel rather then using inbound NAT on policy based. Anyways, if it doesn' t matter, so be it, I' ll pick one and run with it. If I' ll have less headache running dual WAN using route based, I' ll switch gears and run with it.

    6 replies

    RichardH
    RichardHAuthor
    New Member
    September 29, 2009
    I read page 16 of the " Configuring IPSec VPNs" doc at docs.fortinet.com... I' ll stick with policy based and use a concentrator... I' ll leave this thread open, just in case someone can share some similar experience or guide me.
    rwpatterson
    rwpatterson
    New Member
    September 29, 2009
    Route based is less configurable. You cannot route over route based to subnets that are not directly attached to the remote FGT. There are issues (I have had) where NATting can be a problem. You probably won' t run into those. Also if you use interface based tunnels, you can place them into a zone, and will have to configure one single policy for all tunnels included in the zone. A definite plus in the maintenance area... My $.02
    g3rman
    g3rman
    New Member
    September 29, 2009
    Richard, interface based tunnels are the way to go. Routed VPN tunnels aren' t exactly legacy but as Bob mentioned interface based VPNs are much more powerful.
    RichardH
    RichardHAuthor
    New Member
    September 29, 2009
    I' ll test route based vpn using zones...
    rwpatterson
    rwpatterson
    New Member
    September 29, 2009
    Zones require interfaces....
    g3rman
    g3rman
    New Member
    September 29, 2009
    Route based VPNs dont' support zones since you are not creating any additional interfaces.
    abelio
    SuperUser
    abelio
    SuperUser
    September 29, 2009
    Hello all, just for clarify (the thread became confusing for me at least): Routed (= interface) based VPN are those with ACCEPT action firewall policies. On the other side, Policy based VPNs are those with IPSec action firewall policies.
    rwpatterson
    rwpatterson
    New Member
    September 29, 2009
    LOL.. true. I was right, kinda...
    FortiRack_Eric
    FortiRack_Eric
    New Member
    September 30, 2009
    Policy based VPN are legacy. And Interface (route) mode don' t need zone per sé.
    rwpatterson
    rwpatterson
    New Member
    September 30, 2009
    I have 6 sites in interface mode with the same requirement. I put them into a single zone = one policy. Easier to manage, but yes, not required.
    Terms & ConditionsAccessibility statement