Comparing policy-based and route-based VPNs
You can use policy-based and route-based IPsec VPNs based on your network requirements.
Tip
We recommend using route-based VPNs instead of policy-based VPNs.
Additionally, route-based VPNs with local and remote subnets set to Any or with IP version set to Dual allow you to configure routes for these connections, offering flexibility and minimizing downtime related to network changes.
Comparison of the objects
For a comparison of the following types of VPN connections, see the tables:
- Route-based VPNs with the local and remote subnets set to Any.
- Route-based VPNs with traffic selectors (hosts or subnets) for the local and remote subnets.
- Policy-based VPNs.
Number of virtual interfaces
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
Creates an XFRM interface for each route-based VPN configuration, making debugging easier. You have greater control over the MTU. | Creates an XFRM interface for each route-based VPN configuration, making debugging easier. You have greater control over the MTU. | Creates a single IPsec interface for all policy-based VPN connections. TCP dump only shows this IPsec interface for all policy-based connections. |
Number of tunnels
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
Creates a single phase 2 tunnel for each XFRM interface, conserving resources. Creates two tunnels (for IPv4 and IPv6) if you set IP version to Dual. | Creates a phase 2 tunnel for each pair of local and remote subnets, requiring more resources. | Same as route-based VPN (Traffic selectors). |
Traffic entering the tunnel
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
Traffic matches the source, destination, and other settings you specify in the corresponding routes. | Traffic reaching the XFRM interface is matched with the configured traffic selectors. | VPN traffic reaching the listening interface is matched with the traffic selectors (local and remote subnets specified in the configuration). |
Routes
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
You must configure static, SD-WAN, or dynamic routes, such as RIP, OSPF, BGP routes to determine the traffic to be sent to the XFRM interface. | The firewall automatically configures a static route when the tunnel is established. | The firewall automatically creates a VPN route at the backend when the tunnel is established. You must use the ipsec_route command on the CLI for certain types of traffic. See Routing and NAT for IPsec tunnels. |
Firewall rules
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
Inbound and outbound firewall rules for the VPN zone control access based on the source and destination networks, services, users, and applications. | Same as route-based VPN (Any-to-any tunnel). | Same as route-based VPN (Any-to-any tunnel). |
NAT for overlapping subnets
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
You must configure SNAT and DNAT rules (Rules and policies > NAT rules) for overlapping subnets. | NAT setting in the IPsec configuration for overlapping subnets. | Same as route-based VPN (Traffic selectors). |
Comparison of behavior
Failover
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
SD-WAN routes with multiple gateways and SLAs provide quicker failover to redundant routes. You don't need to create a VPN failover group when you configure SD-WAN routes. | VPN failover group provides redundant VPN tunnels. | Same as route-based VPN (Traffic selectors). |
Adding new networks
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
Configuration updates due to network changes don't result in downtime. Network changes require an update to the route configurations rather than the IPsec configuration. | Results in downtime. Changes to subnets at the local or remote networks require a change in the IPsec configuration, dropping established connections. | Same as route-based VPN (Traffic selectors). |
When to use
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
|
| Same as route-based VPN (Traffic selectors). |
Recommended configuration
Route-based VPN (Any-to-any tunnel) | Route-based VPN (Traffic selectors) | Policy-based VPN |
---|---|---|
We recommend using these tunnels over the other two types. | You can use these to specify the traffic selectors. We recommend these instead of policy-based VPN, particularly for establishing connections with third-party firewalls. | Use these only if your network requires it. |