Comparing policy-based and route-based VPNs
You can use policy-based and route-based IPsec VPNs based on your network requirements.
|
Policy-based VPN |
Route-based VPN |
|
|---|---|---|
|
Number of virtual interfaces |
Creates a single IPsec interface internally for all policy-based VPN connections. |
Creates a virtual tunnel interface (VTI), which appears as an XFRM interface, for each route-based VPN configuration. |
|
Number of tunnels |
Creates a tunnel for each pair of local and remote subnets. These tunnels require more resources. |
Creates a single tunnel for each XFRM interface, conserving resources. |
|
Traffic entering the tunnel |
Traffic reaches the listening interface and matches the local and remote subnets specified in IPsec connections. |
Traffic matches the source, destination, and other settings you specify in the corresponding routes. |
|
Routes |
Not required. |
Requires static, dynamic, or SD-WAN policy routes. |
|
Firewall rules |
Requires inbound and outbound firewall rules using the VPN zone. |
|
|
NAT (Network address translation) for overlapping subnets |
NAT setting configured within the IPsec connection. |
NAT rule configured from . |
|
Policy-based VPN |
Route-based VPN |
|
|---|---|---|
|
Adding new networks |
Results in downtime. Changes to subnets at the local or remote networks require a change in the IPsec connection configuration, dropping established connections. |
Doesn't result in downtime. Network changes require an update to the route configurations rather than the IPsec connection configuration. |
|
Control over access to resources |
Firewall rules control access. Control is based on the source and destination networks, services, users, and applications. |
|
|
Control over routing |
Can't configure granular route controls. |
SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications. |
|
Failover |
VPN failover group provides redundant VPN tunnels. |
VPN failover group provides redundant tunnels. SD-WAN policy routing with backup gateway configuration provides redundant routes. |
|
When to use |
Small networks with limited network expansion. Limited network resources. |
Large networks experiencing rapid growth. Networks with dynamic routing. When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an XFRM interface or an MPLS connection. |