Home Page

Firewalls

Email & Spam

Security Terminology

Security Topics

VPN & Cryptography

Wireless

 

 

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?

 

What is Guide

What is a Firewall?

What is a Virus?

What is Spam?

 

Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security

 

Other

Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?

 

 

Route based vs Policy based VPNS

 

 

Most firewalls support both policy based and route based VPN’s. Which one we are supposed to use in most cases doesn't really matter, but there are a couple of things to consider.

Route based VPN is more flexible, more powerful and recommended over policy based. However a policy based VPN is usually simpler to create.

A route based VPN creates a virtual IPSec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPSec settings.

In policy based VPN the tunnel is specified within the policy itself with an action of "IPSec". Also for policy based VPN only one policy is required. A route based VPN is created with two policies, one for inbound and another for outbound with a normal "Accept" action.

A static route is also required for a route based VPN, so anything destined to the remote network must go through the virtual IPSec interface which was created when specifying this within the Phase 1 settings.

A route based VPN is also required when using redundant VPN connection. A route based VPN only works in route mode, where policy based VPN works in both route and transparent mode.

 

Conclusion

If your requirement is to create redundant VPN connections and your firewall is in route\NAT mode (99% of the time it is) then use a route based VPN. If you don’t require redundant VPN connections then you can use a policy based VPN. There are other reasons to use one or the other as well but they are rarely required.