Policy based vs. Routing based IP-SEC VPN

Route based, in my opinion are easier to admin and i' ve had some issues with policy based vpns

rt-based is the prefer method & recommended by fortinet. The reason why I use it; snmp-ifindex # for graphi g interface can be capture on with sniffer & if setup for it you can run routing protocols over it you can bind VIPs So many great things about rt-based that I can' t think of one single complaint

You could face an issue where you must have policy based IF the firewall on the other end requires a separate ProxyID for every ACL entry. NetScreen pioneered the idea of a ProxyID-less VPN and then using security policy and routing to control traffic. Technically according to the IPSec standards there should be a seperate " interesting traffic" type ACL and THEN a security ACL. Routing takes the place of the interesting traffic ACL. This is a holy war/style thing that I used to argue at $previous_job all the time. I love and much prefer route based VPN' s myself and use them wherever possible. You may run into (most likely a Cisco or Checkpoint) an engineer who can' t bring up a tunnel on their side because of a " proxy ID mismatch" if so you may need to look at policy based.

As others have mentioned Route based is definitely the way to go. Significantly better (easier) to administer based on my experiences and tend to just function better. I will have a policy based VPN rolled out and the policy be at the very top and I swear sometimes it skips over that policy even with matching traffic. That may just be me though. Policy is great when you have a situation where you have to use it (transparent mode) but if you don' t have to use it I wouldn' t.....routing mode for the win

I would agree that route based VPN should be the way to go. Just wondering that should we use manual key or auto key for VPNs?

Typical manual keys is what' s used ( PSK or CERTs)