Comparing policy-based and route-based VPNs
You can use policy-based and route-based IPsec VPNs based on your network requirements.
Comparison of the objects
Policy-based VPN | Route-based VPN | |
---|---|---|
Number of virtual interfaces | Creates a single IPsec interface internally for all policy-based VPN connections. | Creates a virtual tunnel interface (VTI), which appears as an xfrm interface, for each route-based VPN configuration. |
Number of tunnels | Creates a tunnel for each pair of local and remote subnets. These tunnels require more resources. | Creates a single tunnel for each xfrm interface, conserving resources. |
Traffic entering the tunnel | Traffic reaches the listening interface and matches the local and remote subnets specified in IPsec connections. | Traffic matches the source, destination, and other settings you specify in the corresponding routes. |
Routes | The firewall automatically creates a VPN route at the backend when the tunnel is established. You must use the ipsec_route command on the CLI for certain types of traffic. See Routing and NAT for IPsec tunnels. | Requires static, dynamic, or SD-WAN policy routes. |
Firewall rules | Requires inbound and outbound firewall rules using the VPN zone. | Requires inbound and outbound firewall rules using the VPN zone. |
NAT (Network address translation) for overlapping subnets | NAT setting configured within the IPsec connection. | NAT rule configured from Rules and policies > NAT rules. |
Comparison of the behavior
Policy-based VPN | Route-based VPN | |
---|---|---|
Adding new networks | Results in downtime. Changes to subnets at the local or remote networks require a change in the IPsec connection configuration, dropping established connections. | Doesn't result in downtime. Network changes require an update to the route configurations rather than the IPsec connection configuration. |
Control over access to resources | Firewall rules control access. Control is based on the source and destination networks, services, users, and applications. | Firewall rules control access. Control is based on the source and destination networks, services, users, and applications. |
Control over routing | Can't configure granular route controls. | SD-WAN policy routes provide granular routing based on the source and destination networks, services, users, and applications. |
Failover | VPN failover group provides redundant VPN tunnels. | VPN failover group provides redundant tunnels. SD-WAN policy routing with backup gateway configuration provides redundant routes. |
When to use | Small networks with limited network expansion. Limited network resources. | Large networks experiencing rapid growth. Networks with dynamic routing. When you want redundant gateways. Use the primary-backup gateway configuration in SD-WAN policy routing to fail over to a custom gateway created on an xfrm interface or an MPLS connection. |