What is route based VPN and policy-based VPN?
Policy Based Routing is only supported for standard AWS. |
Most firewalls appliances support both policy based and route based VPNs. Which one we are supposed to use in most cases doesn’t really matter, but there are a couple of things to consider.
Route based VPNs are more flexible, more powerful and recommended over policy based VPNs. However, a policy based VPN is usually simpler to create.
A route based VPN creates a virtual IPsec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPsec settings.
In a policy based VPN, the tunnel is specified within the policy itself with an action of IPsec. Also, for a policy based VPN, only one policy is required. A route based VPN is created with two policies, one for inbound and another for outbound with a normal Accept action.
A static route is also required for a route based VPN, so anything destined to the remote network must go through the virtual IPsec interface which was created when specifying this within the Phase 1 settings.
If the VPN connection requires redundancy, a route based VPN is normally required.