Home Page

VPN & Cryptography

Firewalls

Email & Spam

Security Terminology

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Route based vs Policy based VPNs

 

 

Most firewalls support policy based and route based VPN models. Which one we are supposed to use in most cases doesn't really matter, but there are a couple of things to consider as to the use cases and differences as described below.

A route based VPN creates a virtual IPsec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPsec settings.

Static routes are required for a route based VPN, so anything destined to the remote network must go through the virtual IPsec interface which was created when specifying this within the Phase 1 settings. Security policies will be created to permit access between the source and destination addresses over the VPN tunnel in the standard way.

In a policy based VPN, the VPN tunnel is specified within the security policy itself with a special action of "IPsec or Encrypt" or an action of something similar dependant on the firewall technology used. Typically, for policy based VPN, only one policy is required. A route based VPN is created with two or more policies, one for inbound and another for outbound with a normal "Accept" action.

Route based VPN vs Policy based VPN

A route based VPN is required when there is a requirement for redundant VPN connections, or there is a need for dynamic routing within a VPN tunnel. A route based VPN only works in route (layer 3) mode, where policy based VPN works in both route and transparent mode, and a policy based VPN is simpler to create.

 

Conclusion

A route based VPN is more flexible, more powerful and recommended over policy based VPN. However a policy based VPN is usually simpler to create.

If your requirement is to create redundant VPN connections and\or need to run dynamic routing and your firewall is in route\NAT(layer 3) mode (99% of the time it is) then use a route based VPN model. If you don’t require redundant VPN connections or dynamic routing, then you can use a policy based VPN. There are other reasons to use one or the other as well but they are rarely required.