Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Comparing policy-based and route-based VPNs

You can use policy-based and route-based IPsec VPNs based on your network requirements.

Tip

We recommend using route-based VPNs instead of policy-based VPNs.

Additionally, route-based VPNs with local and remote subnets set to Any or with IP version set to Dual allow you to configure routes for these connections, offering flexibility and minimizing downtime related to network changes.

Comparison of the objects

For a comparison of the following types of VPN connections, see the tables:

  • Route-based VPNs with the local and remote subnets set to Any.
  • Route-based VPNs with traffic selectors (hosts or subnets) for the local and remote subnets.
  • Policy-based VPNs.

Number of virtual interfaces

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
Creates an XFRM interface for each route-based VPN configuration, making debugging easier. You have greater control over the MTU. Creates an XFRM interface for each route-based VPN configuration, making debugging easier. You have greater control over the MTU. Creates a single IPsec interface for all policy-based VPN connections. TCP dump only shows this IPsec interface for all policy-based connections.

Number of tunnels

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
Creates a single phase 2 tunnel for each XFRM interface, conserving resources. Creates two tunnels (for IPv4 and IPv6) if you set IP version to Dual. Creates a phase 2 tunnel for each pair of local and remote subnets, requiring more resources. Same as route-based VPN (Traffic selectors).

Traffic entering the tunnel

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
Traffic matches the source, destination, and other settings you specify in the corresponding routes. Traffic reaching the XFRM interface is matched with the configured traffic selectors. VPN traffic reaching the listening interface is matched with the traffic selectors (local and remote subnets specified in the configuration).

Routes

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
You must configure static, SD-WAN, or dynamic routes, such as RIP, OSPF, BGP routes to determine the traffic to be sent to the XFRM interface. The firewall automatically configures a static route when the tunnel is established. The firewall automatically creates a VPN route at the backend when the tunnel is established. You must use the ipsec_route command on the CLI for certain types of traffic. See Routing and NAT for IPsec tunnels.

Firewall rules

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
Inbound and outbound firewall rules for the VPN zone control access based on the source and destination networks, services, users, and applications. Same as route-based VPN (Any-to-any tunnel). Same as route-based VPN (Any-to-any tunnel).

NAT for overlapping subnets

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
You must configure SNAT and DNAT rules (Rules and policies > NAT rules) for overlapping subnets. NAT setting in the IPsec configuration for overlapping subnets. Same as route-based VPN (Traffic selectors).

Comparison of behavior

Failover

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN

SD-WAN routes with multiple gateways and SLAs provide quicker failover to redundant routes.

You don't need to create a VPN failover group when you configure SD-WAN routes.

VPN failover group provides redundant VPN tunnels. Same as route-based VPN (Traffic selectors).

Adding new networks

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN

Configuration updates due to network changes don't result in downtime.

Network changes require an update to the route configurations rather than the IPsec configuration.

Results in downtime.

Changes to subnets at the local or remote networks require a change in the IPsec configuration, dropping established connections.

Same as route-based VPN (Traffic selectors).

When to use

Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
  • Large networks with rapid growth.
  • Networks with dynamic routing.
  • Networks with redundant gateways. Assign SD-WAN profiles with SLAs to SD-WAN routes to fail over to a custom gateway created on an XFRM interface or an MPLS connection.
  • Small networks with limited network expansion.
  • For specific network requirements.
Same as route-based VPN (Traffic selectors).
Route-based VPN
(Any-to-any tunnel)
Route-based VPN
(Traffic selectors)
Policy-based VPN
We recommend using these tunnels over the other two types. You can use these to specify the traffic selectors. We recommend these instead of policy-based VPN, particularly for establishing connections with third-party firewalls. Use these only if your network requires it.