Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Configure VPN tunnel for site-to-site connectivity



Article ID: KB15745 KB Last Updated: 10 Sep 2021Version: 12.0

There are two options for configuring a standard IPSec (site-to-site) VPN tunnel: route-based VPN and policy-based VPN. This article provides an overview of the differences between a route-based VPN and policy-based VPN, the criteria for determining which to implement, as well as links to application notes that address configuration and troubleshooting.

For other topics, go to the SRX Getting Started main page.

  • Determine whether to implement route-based VPN or policy-based VPN for site-to-site connectivity
  • Configure and troubleshoot route-based and policy-based VPNs

This section contains the following:

  • Route-based vs Policy-based VPN
  • Technical Documentation
  • Troubleshooting

For information about client-to-site VPN, see KB14318 - Configure Dynamic VPN.

Route-based vs Policy-based VPN

With policy-based VPN tunnels, a tunnel is treated as an object that together with source, destination, application, and action, comprises a tunnel policy that permits VPN traffic. In a policy-based VPN configuration, a tunnel policy specifically references a VPN tunnel by name.

With route-based VPNs, a policy does not specifically reference a VPN tunnel. Instead, the policy references a destination address. When the security device does a route lookup to find the interface through which it must send traffic to reach that address, it finds a route via a secure tunnel (ST) interface, which is bound to a specific VPN tunnel.

Thus, with a policy-based VPN tunnel, you can consider a tunnel as an element in the construction of a policy. With a route-based VPN tunnel, you can consider a tunnel as a means for delivering traffic, and the policy as a method for either permitting or denying the delivery of that traffic.


The following are reasons to implement route-based VPN:
  • Source or destination NAT (NAT-src or NAT-dst) needs to occur as traffic travels through the VPN.
  • There are overlapping subnets or IP addresses between the two LANs.
  • Hub-and-spoke VPN topology is used in the network.
  • Primary and backup VPN are required.
  • A dynamic routing protocol (for example, OSPF, RIP, or BGP) is running across the VPN.
  • Multiple subnets or networks at the remote site across the VPN need to be accessed.

The following are reasons to implement policy-based VPN:

  • The remote VPN device is a non-Juniper device.
  • Only one subnet or one network at the remote site across the VPN needs to be accessed.

For more information on the differences, refer to VPN Overview.


Technical Documentation



For step-by-step troubleshooting information for route-based and policy-based VPNs, see KB10100.

Modification History:
2021-09-08: Removed broken links
2019-12-23: ​Removed the references and link to I2J as it is decommissioned.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search