Policy-based VPN & Route-based VPN –
While planning for VPN setup, it is imperative to have an understanding of differences between 2 VPN types – Policy based VPN and Route based VPN.
Just a brush-up on both VPN types and then we can detail how both terms differ from each other.
Policy-based VPNs encrypt a subsection of traffic flowing through an interface as per configured policy in the access list. The policy dictates either some or all of the interesting traffic should traverse via VPN.
In distinction to a Policy-based VPN, a Route-based VPN works on routed tunnel interfaces as the endpoints of the virtual network. All traffic passing through a tunnel interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and/or dynamic IP routes are formed to direct the desired traffic through the VPN tunnel interface.
Related – Top 100 VPN Interview Questions
Difference between Policy based VPN and Route based VPN –
|PARAMETER||POLICY-BASED VPN||ROUTE-BASED VPN|
|Terminology||Policy-based VPNs encrypt and encapsulate a subset of traffic flowing through an interface according to a defined policy (an access list).||A route based VPN creates a virtual IPSec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPSec settings.
|Scalability||Numbers of VPN tunnels are limited by the number of policies specified||Numbers of VPN tunnels are limited to either route entries or number of tunnel interface specified which are supported by the device.
|Dynamic Routing support||The exchange of dynamic routing information is not supported in policy-based VPNs.||Supports dynamic routing over the tunnel interface.
|Policy Control||“Deny” of traffic flowing through the VPN tunnel can’t be configured.||“Deny” of traffic flowing through the VPN tunnel can’t be configured.
|Network topology||Supports P2P network topology while Hub and Spoke topology is not supported||Supports Hub-spoke , P2P and P2MP network topologies
|Security Association status||Forms SAs in response to interesting traffic matching policy (and will eventually tear down the SAs in the absence of such traffic).||The SAs for a route-based VPN are always maintained, till corresponding tunnel interface is up.
|Use case||Common reasons to use a Policy-based VPN:|
* The remote VPN device is a non-Juniper device
* Need to access only one subnet or one network at the remote site, across the VPN.
|Common Reasons to use a Route-based VPN:
* Source or Destination NAT (NAT-Src, NAT-Dst) needs to occur while it traverses the VPN.
* Overlapping Subnets/IP Addresses between the two LANs.
* Hub-and-spoke VPN topology.
* Design requires Primary and Backup VPN.
* A Dynamic Routing Protocol (that is OSPF, RIP, BGP) is running across the VPN.
* Need to access multiple subnets or networks at the remote site, across the VPN.
|NATting of VPN traffic||Traffic flowing through the VPN tunnel can’t be NATTed||Traffic flowing through the VPN tunnel can be NATTed since it passes through either the tunnel interface or gateway IP address specified as next-hop in routing.
|Remote Access VPN||Remote access VPN can be implemented with policy based VPN.||Remote access VPN can’t be implemented with Route based VPN
|Vendor Agnostic||Policy based VPN might be supported by the vendors which doesn’t support the route based VPN||Route based VPN might not be supported by all the vender’s devices
|Addition of new network||Tunnel policies are to be configured if there is added a new IP networks||Routing is to be configured for new network if there is static Route to remote location
Download the difference table here.
Related – Site to Site VPN vs Remote Access VPN