What is route based VPN and policy-based VPN?

Policy Based Routing is only supported for standard AWS.

Most firewalls appliances support both policy based and route based VPNs. Which one we are supposed to use in most cases doesn’t really matter, but there are a couple of things to consider.

Route based VPNs are more flexible, more powerful and recommended over policy based VPNs. However, a policy based VPN is usually simpler to create.

A route based VPN creates a virtual IPsec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPsec settings.

In a policy based VPN, the tunnel is specified within the policy itself with an action of IPsec. Also, for a policy based VPN, only one policy is required. A route based VPN is created with two policies, one for inbound and another for outbound with a normal Accept action.

A static route is also required for a route based VPN, so anything destined to the remote network must go through the virtual IPsec interface which was created when specifying this within the Phase 1 settings.

If the VPN connection requires redundancy, a route based VPN is normally required.