Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Policy based vpn & route based vpn

Hi All,


Anybody can please explain what is the difference between Policy based vpn & route based vpn and how it works.


Thank you



first, almost no one uses Policy Based VPNs anymore. If you happen to know Check Point firewalls, then Policy Based VPN is like Traditional Mode VPN in Check Point, still exists, but a legacy feature. 


The main difference is that Policy based VPN uses Security Rules to determine where to send encrypted packet, and what traffic to encrypt. The Route based VPN uses routes to decide where to send the traffic, and Security rules for, well security decisions what to allow and what not to. So, with Route based VPN you have to create tunnels specifying all IPSec-related settings, add routes for remote networks, create Security rules to allow traffic.  It is simpler to configure/maintain/debug and you can run dynamic routing protocols as if it were regular interfaces, which you cannot do with Policy based VPNs.


Yuri  blog: All things Fortinet, no ads.
Yuri blog: All things Fortinet, no ads.

In the route-based VPN, we define a static route toward the destination networks and use a VPN interface for outgoing traffic.

Benefits of Route-based VPN:

1. it is easy to configure for Route Failover

2. easy to use for dynamic routing(OSPF, BGP )


In the policy-based IPsec tunnel, we create an IPsec policy and the traffic can go into the t tunnel without a route. Policy-based tunnels will consider the traffic based on rule hit.


Route-Based VPN           

With route-based VPNs, a policy does not specifically reference a VPN tunnel.

The number of route-based VPN tunnels that you create is limited by the number of route entries or the number of virtual interfaces that the device supports, whichever number is lower.

Route-based VPNs support NAT for virtual interfaces.     

Route-based configurations are used for hub-and-spoke topologies.        

With a route-based approach to VPNs, the regulation of traffic is not coupled to the means of its delivery. You can configure dozens of policies to regulate traffic flowing through a single VPN tunnel between two sites, and only one IPsec SA is at work. Also, a route-based VPN configuration allows you to create policies referencing a destination reached through a VPN tunnel in which the action is deny.

Route-based VPNs support the exchange of dynamic routing information through VPN tunnels. You can enable an instance of a dynamic routing protocol, such as OSPF, on a virtual interface that is bound to a VPN tunnel.


Policy-Based VPN           

With policy-based VPN tunnels, a tunnel is treated as an object that, together with source, destination, application, and action, constitutes a tunnel policy that permits VPN traffic.

The number of policy-based VPN tunnels that you can create is limited by the number of policies that the device supports.

Policy-based VPNs cannot be used if NAT is required for tunneled traffic.

Policy-based VPNs cannot be used for hub-and-spoke topologies.

In a policy-based VPN configuration, the action must be allow and must include a tunnel.

The exchange of dynamic routing information is not supported in policy-based VPNs.

Niroj Pariyar

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors