Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Difference between a policy-based VPN and a route-based VPN

0

0
Article ID: KB10105 KB Last Updated: 18 Dec 2020Version: 9.0 Summary:
 

This article explains the differences between a policy-based VPN and a route-based VPN for Junos OS. In addition, it explains how to identify which type is configured for an existing VPN.

 

Symptoms:
 

What type of VPN is configured, policy-based or route-based?

 

Solution:
 

Policy-Based VPN

For an explanation of policy-based VPNs and examples of where policy-based VPNs can be used, refer to Understanding Policy-Based IPsec VPNs.

A tunnel is a means for delivering traffic between points A and B by using a security policy for both directing traffic into the tunnel and permitting or denying delivery of that traffic.

A policy-based VPN configuration includes a security policy whose action includes tunnel, and references a specific VPN.

Example

root@siteA# show security policies
           from-zone trust to-zone untrust {
            policy vpnpolicy-tr {
              match {
                source-address local-net;
                destination-address remote-net;
                application any;
              }
              then {
                permit {
                    tunnel {    <----------------------
                      ipsec-vpn ike-vpn-srx2;
                       }
                     }
                   }
                 }
               }
 

Route-Based VPN

For an explanation of route-based VPNs and examples of where route-based VPNs can be used, refer to Understanding Route-Based IPsec VPNs.

Important Points

  • A tunnel is a means for delivering traffic between points A and B by using routes with next-hops that point towards the associated st0 interface.

  • A security policy is used for either permitting or denying delivery of that traffic.

  • The st0 interface can be numbered or unnumbered.

  • St0 interfaces must be bound to a security zone.

A route-based VPN has no associated security policy with tunnel action. Instead, the VPN tunnel is bound to a secure tunnel interface (st0) by using the bind-interface command in the [security ipsec vpn vpn-name] hierarchy.

Example

root@siteA # show security ipsec 
...
vpn ike-vpn-srx1{
           bind-interface st0.0;   <----------------------
           ike {
              gateway gw-srx1;
              proxy-identity {
                  local 192.168.2.0/24;
                  remote 192.168.1.0/24;
                  service any;
                }
               ipsec-policy ipsec-phase2-policy;
             }
          establish-tunnels immediately;
        }

 

Modification History:
 

2020-12-18: Minor, non-technical updates

2020-06-08: Article reviewed for accuracy; no changes required; article still valid

 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search