Comparing policy-based or route-based VPNs
For both VPN types you create phase 1 and phase 2 configurations. Both types are handled in the stateful inspection security layer, assuming there is no IPS or AV. For more information on the security layers, see
“Life of a Packet”.
The main difference is in the security policy.
You create a policy-based VPN by defining an IPSEC security policy between two network interfaces and associating it with the VPN tunnel (phase 1) configuration.
You create a route-based VPN by enabling IPsec interface mode in the VPN phase 1 configuration. This creates a virtual IPsec interface. You then define a regular ACCEPT security policy to permit traffic to flow between the virtual IPsec interface and another network interface. And lastly, configure a static route to allow traffic over the VPN.
Where possible, you should create route-based VPNs. Generally, route-based VPNs are more flexible and easier to configure than policy-based VPNs — by default they are treated as interfaces. However, these two VPN types have different requirements that limit where they can be used.
Table 71: Comparison of policy-based and route-based VPNs
Features | Policy-based | Route-based |
• Both NAT and transparent modes available | • Yes | • NAT mode only |
• L2TP-over-IPsec supported | • Yes | • No |
• GRE-over-IPsec supported | • No | • Yes |
• security policy requirements | • Requires a security policy with IPSEC action that specifies the VPN tunnel | • Requires only a simple security policy with ACCEPT action |
• Number of policies per VPN | • One policy controls connections in both directions | • A separate policy is required for connections in each direction |