Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

What is the difference between a Policy-based VPN and a Route-based VPN? (KB ID: KB4124)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB4124

Synopsis

The article briefly covers the differences between a Policy-Based VPN vs. a Route-Based VPN. In addition, it explains how to identify quickly which type is configured for an existing VPN.

Problem

Which type VPN is configured,  Route-Based or Policy-Based?

When should I configure Route-Based or Policy-Based?

Solution

Policy Based:

• A Policy Based VPN is a configuration in which a specific VPN tunnel is referenced in a policy whose action is set as Tunnel.  The tunnel icon appears as either a Lock or as a Lock with directional arrows as shown in the sample below. The icon below indicates the policy is configured for a Bi-Directional Tunnel.
  

  
  

Route Based:

• A Route Based VPN is a configuration in which the policy does not reference a specific VPN tunnel. Instead, a VPN tunnel is indirectly referenced by a route that points to a specific tunnel interface. The tunnel interface may be bound to a VPN tunnel or to a tunnel zone.
• When a tunnel interface is in a security zone, a tunnel interface must be bound to a VPN tunnel. This is necessary in order to create a routing- based VPN configuration. The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface.
• A tunnel is a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, ScreenOS allows you the freedom to separate the regulation of traffic from the means of its delivery.
• If the tunnel interface does not need to support Policy Based NAT, and the configuration does not require the tunnel interface to be bound to a tunnel zone,  the interface can be specified as unnumbered. An unnumbered tunnel interface must be bound to a security zone; it cannot be bound to a tunnel zone. An interface must also be bound to the security zone whose IP address the unnumbered tunnel interface borrows.

In addition, the Route Based VPNs must include the following configuration information:

• Tunnel Interface
• Phase I VPN Gateway configuration (listed under VPNs > AutoKey Advanced > Gateway  on the WebUI)
• Phase II VPN configuration (listed under VPNs > AutoKey IKE  on the WebUI); including:
  • Local and Remote Proxy ID 
  • VPN configuration bound to tunnel interface
• Route for remote network pointing to tunnel interface
• Policy specifying action of "Permit" to allow traffic
  

For additional information, consult: How to configure VPN on a NetScreen Firewall device

Category Description

By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » IP Protocols » Tunneling Protocols » IPSec

Purpose

Troubleshooting

Related Articles

Related Links

• How to configure VPN on a NetScreen Firewall device
• How To Troubleshoot a Site-to-Site VPN That Won't Come Up and There are No Messages in the Event Logs
• How to Troubleshoot a Site-to-Site VPN that won't come active

Related Files