Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] What is the difference between a policy-based VPN and a route-based VPN?

0

0

Article ID: KB10105 KB Last Updated: 20 Aug 2014Version: 6.0
Summary:

This article explains the differences between a policy-based VPN and a route-based VPN for Junos. In addition, it explains how to identify which type is configured for an existing VPN.


Symptoms:

What type of VPN is configured, policy-based or route-based?


Cause:
 
Solution:

Policy-based VPN:

For an explanation of policy-based VPNs and examples of where policy-based VPNs can be used, refer to Understanding Policy-Based IPsec VPNs.

The tunnel is a means for delivering traffic between points A and B using the security policy as both directing traffic into the tunnel and permitting or denying the delivery of that traffic.
A policy-based VPN configuration includes a security policy whose action includes tunnel and references a specific VPN.

CLI:
root@siteA# show security policies
           from-zone trust to-zone untrust {
            policy vpnpolicy-tr {
              match {
                source-address local-net;
                destination-address remote-net;
                application any;
              }
              then {
                permit {
                    tunnel {    <----------------------
ipsec-vpn ike-vpn-srx2;
} } } } }
J-Web :

Select Configure > Security > Policy > FW Policies
A lock icon in the 'Action' column means that it is a VPN tunnel policy.
   Note: If you hover over the lock icon it will specify that it is a tunnel policy.

tunnel policy=




Route-based VPN:

For an explanation of route-based VPNs and examples of where route-based VPNs can be used, refer to Understanding Route-Based IPsec VPNs.

Important points:
  • The tunnel is a means for delivering traffic between points A and B using routes with next-hops pointing towards the associated st0 interface
  • A security policy is used for either permitting or denying the delivery of that traffic
  • The st0 interface can be numbered or unnumbered
  • St0 interfaces must be bound to a security zone

A route-based VPN has no associated security policy with tunnel action. Instead, the VPN tunnel is bound to a secure tunnel interface (st0) using the ‘bind-interface’ command in the [security ipsec vpn vpn-name] hierarchy.

CLI:
root@siteA # show security ipsec 
...
vpn ike-vpn-srx1{
           bind-interface st0.0;   <----------------------
           ike {
              gateway gw-srx1;
              proxy-identity {
                  local 192.168.2.0/24;
                  remote 192.168.1.0/24;
                  service any;
                }
               ipsec-policy ipsec-phase2-policy;
             }
          establish-tunnels immediately;
        }
J-Web:
Select Configure > IPsec VPN > Auto Tunnel > Phase II.  A st0 interface in the 'Bind Interface' column means that it is a route-based VPN.  (For a policy-based VPN the 'Bind Interface' column will be blank.)





For configuration help, refer to KB21899 - Resolution Guides and Articles - SRX - VPN.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search