Related Documentation
- J Series
- VPN Overview
- Example: Configuring a Hub-and-Spoke VPN
- Example: Configuring a Policy-Based VPN
- SRX Series
- VPN Overview
- Example: Configuring a Hub-and-Spoke VPN
- Example: Configuring a Policy-Based VPN
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding Route-Based IPsec VPNs
With route-based VPNs, you can configure dozens of security policies to regulate traffic flowing through a single VPN tunnel between two sites, and there is just one set of IKE and IPsec SAs at work. Unlike policy-based VPNs, for route-based VPNs, a policy refers to a destination address, not a VPN tunnel. When Junos OS looks up a route to find the interface to use to send traffic to the packet’s destination address, it finds a route through a secure tunnel interface (st0.x). The tunnel interface is bound to a specific VPN tunnel, and the traffic is routed to the tunnel if the policy action is permit.
Examples of where route-based VPNs can be used:
- There are overlapping subnets or IP addresses between the two LANs.
- A hub-and-spoke VPN topology is used in the network, and spoke-to-spoke traffic is required.
- Primary and backup VPNs are required.
- A dynamic routing protocol (for example, OSPF, RIP, or BGP) is running across the VPN.
 | Note: We recommend that you use route-based VPN when you want to configure VPN between multiple remote sites. Route-based VPN allows for routing between the spokes between multiple remote sites; it is easier to configure, monitor, and troubleshoot. Use policy-based VPN when your topology has a third-party device and requires a separate SAs for each remote subnet. |
Related Documentation
- J Series
- VPN Overview
- Example: Configuring a Hub-and-Spoke VPN
- Example: Configuring a Policy-Based VPN
- SRX Series
- VPN Overview
- Example: Configuring a Hub-and-Spoke VPN
- Example: Configuring a Policy-Based VPN
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
