Policy-Based Vs Route-Based IPSec VPN in Juniper SRX
Policy-Based vs Route-Based IPSec VPN in Juniper SRX
There are some differences in Policy-based Vs Route-based IPSec VPN in Juniper SRX. In some scenario Policy based VPN could be better and suitable meanwhile route based VPN could be better and suitable in other scenario. I have consider the Network scenario with Juniper SRX series as shown. The difference points imply to all other vender as well except the some Junos specific points.
The basics of policy based VPN are listed as below from the perspective of Juniper Junos
- Policy based VPN is configured without any specific routing to the remote networks. It passes the VPN traffic to remote network using the default or static route.
- Traffic flowing through the VPN tunnel can’t be NATTed in policy based VPN.
- Numbers of VPN tunnels are limited by the number of policies specified
- Tunnels are specified along with the security policies and related with the name configured in IPSec (phase-II) VPN configurations.
- Numbers of tunnel policies for the same two sites create an individual IPSec SA (VPN tunnel). It means there are numerous VPN tunnel between the same two sites while there are numbers of policies between these site networks. It consumes a lots use of tunnel number for same two sites.
- Tunnel Policies can’t be configured with deny for traffic flowing through the VPN tunnel.
- It can only be implemented in point to point network topology.
- Remote access VPN can be implemented with policy based VPN.
- Policy based VPN might be supported by the vendors which doesn’t support the route based VPN.
- Tunnel policies are to be configured if there is added a new IP networks.
The basics of Route based VPN are listed as below
- Tunnel interface must be configured.
- Route based VPN must be configured with routing to remote networks. It means the remote network has to be routed with using either static or dynamic routing. It is one of the greatest advantage of route based VPN.
- It supports dynamic routing over the tunnel interface.
- Traffic flowing through the VPN tunnel can be NATTed in route based VPN since it passes through either the tunnel interface or gateway IP address specified as next-hop in routing.
- Tunnel interface configured are attached to the IPSec (phase-II) VPN configurations.
- Numbers of VPN tunnels are limited to either route entries or number of tunnel interface specified which are supported by the device.
- There is a single pair IPSec Security Association (SA) even though numerous policies can be specified to pass the traffic flow through the VPN tunnel. It conserves the use of number of tunnel number for same two sites
- Policies can be configured with deny for traffic flowing through the VPN tunnel.
- It can be implemented with Hub-spoke and Point to point/multipoint network topologies
- Remote access VPN can’t be implemented with Route based VPN
- Route based VPN might not be supported by all the vender’s devices.
- Routing is to be configured for new network if there is static Route to remote location.
Beside few points, Route based IPSec VPN is considered much more scalable, robust and flexible VPN implementation methods in comparison of Policy based VPN. Click for here for implementation of Policy based IPSec VPN.