Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=r_202010121511100320

Comparing policy-based and route-based VPNs

You can use policy-based and route-based IPsec VPNs based on your network requirements.

Comparison of the objects

Policy-based VPN Route-based VPN
Number of virtual interfaces Creates a single IPsec interface internally for all policy-based VPN connections. Creates a virtual tunnel interface (VTI), which appears as an xfrm interface, for each route-based VPN configuration.
Number of tunnels Creates a tunnel for each pair of local and remote subnets. These tunnels require more resources. Creates a single tunnel for each xfrm interface, conserving resources.
Traffic entering the tunnel Traffic reaches the listening interface and matches the local and remote subnets specified in IPsec connections. Traffic matches the source, destination, and other settings you specify in the corresponding routes.
Routes The firewall automatically creates a VPN route at the backend when the tunnel is established. You must use the ipsec_route command on the CLI for certain types of traffic. See Routing and NAT for IPsec tunnels. Requires static, dynamic, or SD-WAN policy routes.
Firewall rules Requires inbound and outbound firewall rules using the VPN zone. Requires inbound and outbound firewall rules using the VPN zone.
NAT (Network address translation) for overlapping subnets NAT setting configured within the IPsec connection. NAT rule configured from Rules and policies > NAT rules.

Comparison of the behavior

Policy-based VPN Route-based VPN
Adding new networks Results in downtime.

Changes to subnets at the local or remote networks require a change in the IPsec connection configuration, dropping established connections.		 Doesn't result in downtime.

Network changes require an update to the route configurations rather than the IPsec connection configuration.
Control over access to resources Firewall rules control access.

Control is based on the source and destination networks, services, users, and applications.		 Firewall rules control access.

Control is based on the source and destination networks, services, users, and applications.
Control over routing Can't configure granular route controls. SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications.
Failover VPN failover group provides redundant VPN tunnels. VPN failover group provides redundant tunnels.

SD-WAN policy routing with backup gateway configuration provides redundant routes.
When to use Small networks with limited network expansion.

Limited network resources.		 Large networks experiencing rapid growth.

Networks with dynamic routing.

When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an xfrm interface or an MPLS connection.