Hi All,
Anybody can please explain what is the difference between Policy based vpn & route based vpn and how it works.
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
first, almost no one uses Policy Based VPNs anymore. If you happen to know Check Point firewalls, then Policy Based VPN is like Traditional Mode VPN in Check Point, still exists, but a legacy feature.
The main difference is that Policy based VPN uses Security Rules to determine where to send encrypted packet, and what traffic to encrypt. The Route based VPN uses routes to decide where to send the traffic, and Security rules for, well security decisions what to allow and what not to. So, with Route based VPN you have to create tunnels specifying all IPSec-related settings, add routes for remote networks, create Security rules to allow traffic. It is simpler to configure/maintain/debug and you can run dynamic routing protocols as if it were regular interfaces, which you cannot do with Policy based VPNs.
In the route-based VPN, we define a static route toward the destination networks and use a VPN interface for outgoing traffic.
Benefits of Route-based VPN:
1. it is easy to configure for Route Failover
2. easy to use for dynamic routing(OSPF, BGP )
In the policy-based IPsec tunnel, we create an IPsec policy and the traffic can go into the t tunnel without a route. Policy-based tunnels will consider the traffic based on rule hit.
Route-Based VPN
With route-based VPNs, a policy does not specifically reference a VPN tunnel.
The number of route-based VPN tunnels that you create is limited by the number of route entries or the number of virtual interfaces that the device supports, whichever number is lower.
Route-based VPNs support NAT for virtual interfaces.
Route-based configurations are used for hub-and-spoke topologies.
With a route-based approach to VPNs, the regulation of traffic is not coupled to the means of its delivery. You can configure dozens of policies to regulate traffic flowing through a single VPN tunnel between two sites, and only one IPsec SA is at work. Also, a route-based VPN configuration allows you to create policies referencing a destination reached through a VPN tunnel in which the action is deny.
Route-based VPNs support the exchange of dynamic routing information through VPN tunnels. You can enable an instance of a dynamic routing protocol, such as OSPF, on a virtual interface that is bound to a VPN tunnel.
Policy-Based VPN
With policy-based VPN tunnels, a tunnel is treated as an object that, together with source, destination, application, and action, constitutes a tunnel policy that permits VPN traffic.
The number of policy-based VPN tunnels that you can create is limited by the number of policies that the device supports.
Policy-based VPNs cannot be used if NAT is required for tunneled traffic.
Policy-based VPNs cannot be used for hub-and-spoke topologies.
In a policy-based VPN configuration, the action must be allow and must include a tunnel.
The exchange of dynamic routing information is not supported in policy-based VPNs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.