Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff

Created on ‎04-10-2025 10:59 PM

Article Id 387220

Technical Tip: IPSEC traffic flow and use cases with policy-based vs route based-tunnels

Description This article provides a basic overview of use cases and traffic flow in policy-based and route-based tunnels.
Scope FortiGate.
Solution

In some scenarios, there is a requirement to configure policy-based IPSEC VPNs.

If the remote device cannot use a routed virtual tunnel interface or is using a legacy crypto map-based configuration that is bound to a wan interface, the only option is to configure a policy-based VPN.

 

The issue with policy-based tunnels is dynamic routing can not be used since it is not bound to a virtual tunnel interface.

 

The Pros and Cons of Policy-based VPNs are mentioned below.

 

Pros

  • Less resource intensive in comparison to route-based tunnels.
  • For stable (non-changing) networks it is easy to configure once.

 

Cons:

  • Legacy method and is not scalable for rapidly growing/changing networks.
  • Unable to run dynamic routing
  • Cannot use for HUB and SPOKE setup

 

Route-based IPSEC tunnels:

  • The route-based tunnel is the latest and most scalable technology.
  • There are no Cons to use route-based tunnels over Policy based tunnels.
  • On FortiGate, the default configuration mode is route-based.

 

Traffic Flow in route-based and policy-based IPSEC tunnels.

 

Traffic flow in the route-based tunnel:

  1. Traffic is received on the inside interface and sent to the virtual tunnel interface.
  2. The SAs are bound to each dedicated tunnel interface .
  3. If the phase-2 allows incoming range then the traffic is verified with destination routes through the tunnel interface.
  4. Based on the firewall policy from internal to tunnel, traffic will be encrypted and sent out via the wan link associated.

 

Traffic flow in Policy-based IPSEC tunnels:

  1. The SAs are attached to the wan interface.
  2. No need to do a route lookup with a virtual tunnel interface.
  3. Based on the source and destination allowed in firewall policy the traffic will apply the SA. (Policy from lan to wan)

 

Note:

  • Always prefer route-based IPSEC tunnels if the remote device supports it.
  • Proper Failover can not be achieved through policy-based IPSEC tunnels.
  • Open selectors can be used in route-based tunnels but never used in policy-based tunnels.

 

Related documents:

Technical Tip: Enable 'Policy-Based IPsec VPN' configuration

Basic site-to-site VPN with pre-shared key
832
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.