Comparing policy-based and route-based VPNs

You can use policy-based and route-based IPsec VPNs based on your network requirements.

Table 1. Comparison of the objects

Policy-based VPN

Route-based VPN

Number of virtual interfaces

Creates a single IPsec interface internally for all policy-based VPN connections.

Creates a virtual tunnel interface (VTI), which appears as an XFRM interface, for each route-based VPN configuration.

Number of tunnels

Creates a tunnel for each pair of local and remote subnets. These tunnels require more resources.

Creates a single tunnel for each XFRM interface, conserving resources.

Traffic entering the tunnel

Traffic reaches the listening interface and matches the local and remote subnets specified in IPsec connections.

Traffic matches the source, destination, and other settings you specify in the corresponding routes.


Not required.

Requires static, dynamic, or SD-WAN policy routes.

Firewall rules

Requires inbound and outbound firewall rules using the VPN zone.

NAT (Network address translation) for overlapping subnets

NAT setting configured within the IPsec connection.

NAT rule configured from Rules and policies > NAT rules.

Table 2. Comparison of the behavior

Policy-based VPN

Route-based VPN

Adding new networks

Results in downtime.

Changes to subnets at the local or remote networks require a change in the IPsec connection configuration, dropping established connections.

Doesn't result in downtime.

Network changes require an update to the route configurations rather than the IPsec connection configuration.

Control over access to resources

Firewall rules control access.

Control is based on the source and destination networks, services, users, and applications.

Control over routing

Can't configure granular route controls.

SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications.


VPN failover group provides redundant VPN tunnels.

VPN failover group provides redundant tunnels.

SD-WAN policy routing with backup gateway configuration provides redundant routes.

When to use

Small networks with limited network expansion.

Limited network resources.

Large networks experiencing rapid growth.

Networks with dynamic routing.

When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an XFRM interface or an MPLS connection.