Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

VPN Tunnel Types Overview

 

You can configure three types of VPN tunnels with NSM:

  • Policy-based VPNs—The VPN tunnel is created and maintained only during the transfer of network traffic that matches a VPN rule, and it is torn down when the connection ends. Use policy-based VPNs when you want to encrypt and authenticate certain types of traffic between two VPN members.

  • Route-based VPNs—The VPN tunnel is created when the route is defined and is maintained continuously. Use route-based VPNs when you want to encrypt and authenticate all traffic between two VPN members. You cannot add RAS users in a routing-mode VPN.

  • Mixed-mode VPNs—Policy-based VPNs are connected to route-based VPNs in a mixed-mode VPN. You cannot add RAS users in a mixed-mode VPN.

The following sections detail Policy-based and Route-based VPN types.

About Policy-Based VPNs

A policy-based VPN tunnels traffic between two security devices or between one security device and a remote user. Each time a security device detects traffic that matches the from zone, source, to zone, destination, and service in the VPN rule, it creates the VPN tunnel to encrypt, authenticate, and send the data to the specified destination. When no traffic matches the VPN rule, the firewall tears down the VPN tunnel.

To create a policy-based VPN, use NSM to configure a policy based on the network components you want to protect, including protected resources, and then push the configuration to the security device(s). The security device(s) use the configuration to create the VPN tunnel. A protected resource is a combination of a network component and a service; protected resources in a VPN can communicate with other protected resources using the specified services. In a VPN rule, you add protected resources as the source and destination IP addresses.

Policy-based VPNs can use any of the supported data protection methods. Use policy-based VPNs when you want to enable remote access server (RAS). You can add users to the VPN just as you add devices, enabling user access to all resources within the VPN.

About Route-Based VPNs

Like a policy-based VPN, a route-based VPN tunnels traffic between two security devices or between one security device and a remote user. However, a route-based VPN automatically tunnels all traffic between two termination points, without regard for the type of traffic. Because the tunnel is an always-on connection between two network points, the security device views the tunnel as a static network resource through which to route traffic.

To create the termination points of the tunnel, you designate an interface on the security device as a tunnel interface, then define a static route or use a dynamic routing protocol (BGP, OSPF) between all tunnel interfaces in the VPN. The tunnel interface, just like a physical interface, maintains state to enable dynamic routing protocols to make route decisions. When using VPN Manager to create your route-based VPNs, the tunnel interfaces are automatically created for you.