[ScreenOS] What is the difference between a Policy-based VPN and a Route-based VPN?

  [KB4124] Show Article Properties


Summary:
The article provides information about the differences between a Policy-Based VPN and a Route-Based VPN. Additionally, it provides information on how to quickly identify which type is configured for an existing VPN.
Symptoms:
  • How to check if the VPN is configured as Route or Policy based?

  • When should I configure Route or Policy based?
Solution:

Policy Based:

  • A Policy Based VPN is a configuration in which a specific VPN tunnel is referenced in a policy whose action is set as Tunnel.  The tunnel icon appears as either a Lock or as a Lock with directional arrows as shown in the sample below. The icon below indicates that the policy is configured for a Bi-Directional Tunnel.
    A Policy's Action Column with the Lock Icon indicating this is a Policy-Based VPN

You can identify whether a VPN is route or policy based via the Command line as well. In the get sa command, the value under the PID field lists the policy ID that is used for that SA:

SSG-> get sa
total configured sa: 1
HEX ID   Gateway Port  Algorithm SPI        Life:sec      kb     Sta PID  vsys
00000001< 1.1.1.1  500    esp:3des/sha1 e37791d3  3596    unlim  A/- 2    0
00000001> 1.1.1.1  500   esp:3des/sha1 883ebdb8  3596     unlim  A/- 1    0 

You can see the 2 and 1 values being listed under the PID column; that is policy ID’s 2 and 1 are used in that SA. if the VPN is route based, then this value will be -1.


Common reasons to use a Policy-based VPN:

  • The remote VPN device is a non-Juniper device

  • Need to access only one subnet or one network at the remote site, across the VPN.
 

Route Based:

  • A Route Based VPN is a configuration, in which the policy does not reference a specific VPN tunnel. Instead, a VPN tunnel is indirectly referenced by a route that points to a specific tunnel interface. The tunnel interface may be bound to a VPN tunnel or to a tunnel zone.

  • When a tunnel interface is in a security zone, a tunnel interface must be bound to a VPN tunnel. This is necessary to create a routing- based VPN configuration. The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface.

  • A tunnel is a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, ScreenOS allows you the freedom to separate the regulation of traffic from the means of its delivery.

  • If the tunnel interface does not need to support Policy Based NAT and the configuration does not require the tunnel interface to be bound to a tunnel zone,  the interface can be specified as unnumbered. An unnumbered tunnel interface must be bound to a security zone; it cannot be bound to a tunnel zone. An interface must also be bound to the security zone, whose IP address the unnumbered tunnel interface borrows.



  •  
  •  

In addition, the Route Based VPNs must include the following configuration information:

  • Tunnel Interface

  • Phase I VPN Gateway configuration (listed under VPNs > AutoKey Advanced > Gateway  on the WebUI)

  • Phase II VPN configuration (listed under VPNs > AutoKey IKE  on the WebUI); including:
     
    • Local and Remote Proxy ID 

    • VPN configuration bound to tunnel interface



    •  
    •  

  • Route for remote network pointing to tunnel interface

  • Policy specifying action of "Permit" to allow traffic



  •  
  •  
Common Reasons to use a Route-based VPN:

 

  • Source or Destination NAT (NAT-Src, NAT-Dst) needs to occur, as it traverses the VPN.

  • Overlapping Subnets/IP Addresses between the two LANs.

  • Hub-and-spoke VPN topology.

  • Design requires Primary and Backup VPN.

  • A Dynamic Routing Protocol (that is OSPF, RIP, BGP) is running across the VPN.

  • Need to access multiple subnets or networks at the remote site, across the VPN.
Modification History:
‚Äč2017-12-01: Article reviewed for accuracy. Article is correct and complete. Just tagged for ScreenOS.
Related Links: