Knowledge Search


×
 

[J/SRX] What is the difference between a policy-based VPN and a route-based VPN?

  [KB10105] Show Article Properties


Summary:

This article explains the differences between a policy-based VPN and a route-based VPN for Junos. In addition, it explains how to identify which type is configured for an existing VPN.


Symptoms:

What type of VPN is configured, policy-based or route-based?


Cause:
 
Solution:

Policy-based VPN:

For an explanation of policy-based VPNs and examples of where policy-based VPNs can be used, refer to Understanding Policy-Based IPsec VPNs.

The tunnel is a means for delivering traffic between points A and B using the security policy as both directing traffic into the tunnel and permitting or denying the delivery of that traffic.
A policy-based VPN configuration includes a security policy whose action includes tunnel and references a specific VPN.

CLI:
root@siteA# show security policies
           from-zone trust to-zone untrust {
            policy vpnpolicy-tr {
              match {
                source-address local-net;
                destination-address remote-net;
                application any;
              }
              then {
                permit {
                    tunnel {    <----------------------
ipsec-vpn ike-vpn-srx2;
} } } } }
J-Web :

Select Configure > Security > Policy > FW Policies
A lock icon in the 'Action' column means that it is a VPN tunnel policy.
   Note: If you hover over the lock icon it will specify that it is a tunnel policy.

tunnel policy=




Route-based VPN:

For an explanation of route-based VPNs and examples of where route-based VPNs can be used, refer to Understanding Route-Based IPsec VPNs.

Important points:
  • The tunnel is a means for delivering traffic between points A and B using routes with next-hops pointing towards the associated st0 interface
  • A security policy is used for either permitting or denying the delivery of that traffic
  • The st0 interface can be numbered or unnumbered
  • St0 interfaces must be bound to a security zone

A route-based VPN has no associated security policy with tunnel action. Instead, the VPN tunnel is bound to a secure tunnel interface (st0) using the ‘bind-interface’ command in the [security ipsec vpn vpn-name] hierarchy.

CLI:
root@siteA # show security ipsec 
...
vpn ike-vpn-srx1{
           bind-interface st0.0;   <----------------------
           ike {
              gateway gw-srx1;
              proxy-identity {
                  local 192.168.2.0/24;
                  remote 192.168.1.0/24;
                  service any;
                }
               ipsec-policy ipsec-phase2-policy;
             }
          establish-tunnels immediately;
        }
J-Web:
Select Configure > IPsec VPN > Auto Tunnel > Phase II.  A st0 interface in the 'Bind Interface' column means that it is a route-based VPN.  (For a policy-based VPN the 'Bind Interface' column will be blank.)





For configuration help, refer to KB21899 - Resolution Guides and Articles - SRX - VPN.


Related Links: