With route-based VPNs, a policy does not specifically reference a VPN tunnel.
The number of route-based VPN tunnels that you create is limited by the number of route entries or the number of virtual interfaces that the device supports, whichever number is lower.
Route-based VPNs support NAT for virtual interfaces.
Route-based configurations are used for hub-and-spoke topologies.
With a route-based approach to VPNs, the regulation of traffic is not coupled to the means of its delivery. You can configure dozens of policies to regulate traffic flowing through a single VPN tunnel between two sites, and only one IPsec SA is at work. Also, a route-based VPN configuration allows you to create policies referencing a destination reached through a VPN tunnel in which the action is deny.
Route-based VPNs support the exchange of dynamic routing information through VPN tunnels. You can enable an instance of a dynamic routing protocol, such as OSPF, on a virtual interface that is bound to a VPN tunnel.
With policy-based VPN tunnels, a tunnel is treated as an object that, together with source, destination, application, and action, constitutes a tunnel policy that permits VPN traffic.
The number of policy-based VPN tunnels that you can create is limited by the number of policies that the device supports.
Policy-based VPNs cannot be used if NAT is required for tunneled traffic.
Policy-based VPNs cannot be used for hub-and-spoke topologies.
In a policy-based VPN configuration, the action must be allow and must include a tunnel.
The exchange of dynamic routing information is not supported in policy-based VPNs.