Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Comparison of Policy-Based VPNs and Route-Based VPNs

Security Director supports configuring two types of VPNs for SRX Series devices – policy-based and route-based VPNs. The underlying IPsec functionality is essentially the same in terms of traffic being encrypted.

Table 1: Differences between Policy-Based and Route-Based VPNs

Policy-Based VPNs

Route-Based VPNs

A tunnel is treated as an object that, together with source, destination, application, and action, constitutes a tunnel policy permitting VPN traffic.

A policy does not specifically reference a VPN tunnel.

A tunnel policy specifically references a VPN tunnel by name.

A route determines which traffic is sent through the tunnel based on a destination IP address.

The number of policy-based VPN tunnels that you can create is limited by the number of tunnels that the device supports.

The number of route-based VPN tunnels that you can create is limited by the number of st0 interfaces (for point-to-point VPNs) or the number of tunnels that the device supports, whichever is lower.

Although you can create numerous tunnel policies referencing the same VPN tunnel, each tunnel policy pair creates an individual IPsec security association (SA) with the remote peer. Each SA counts as an individual VPN tunnel.

Because the route, not the policy, determines which traffic goes through the tunnel, multiple policies can be supported with a single SA or VPN.

The action must be permit and must include a tunnel.

The regulation of traffic is not coupled to the means of its delivery.

The exchange of dynamic routing information is not supported.

Route-based VPNs support the exchange of dynamic routing information through VPN tunnels. You can enable an instance of a dynamic routing protocol, such as OSPF, on a st0 interface that is bound to a VPN tunnel.

If you need more granularity than a route can provide to specify the traffic sent to a tunnel, using a policy-based VPN with security policies is the best choice.

Route-based VPNs use routes to specify the traffic sent to a tunnel; a policy does not specifically reference a VPN tunnel.

You can consider a tunnel as an element in the construction of a policy.

When the security device does a route lookup to find the interface through which it must send traffic to reach an address, it finds a route through a secure tunnel (st0) interface. With a route-based VPN tunnel, you can consider a tunnel as a means for delivering traffic, and you can consider the policy as a method for either permitting or denying the delivery of that traffic.

Proxy ID is supported for both route-based and policy-based VPNs. However, the multi-proxy ID is supported for only route-based VPNs. The multi-proxy ID is also known as traffic selector. A traffic selector is an agreement between IKE peers to permit traffic through a tunnel, if the traffic matches a specified pair of local and remote addresses. You define a traffic selector within a specific route-based VPN, which can result in multiple Phase 2 IPsec SAs. Only traffic that conforms to a traffic selector is permitted through an SA. The traffic selector is commonly required when remote gateway devices are non-Juniper Networks devices.

Shared Point-to-Point st0 Interface

Junos Space Security Director supports sharing of point-to-point st0 logical interface when you run IPsec VPN service using the iked process to provide a migration path from the kmd process.

Prerequisites to configure multiple VPN objects to a shared point-to-point st0 interface:

  • You've configured explicit traffic selectors.

  • You've not used wildcard network mask in your configuration.

  • To import a site-to-site VPN with shared point-to-point st0 interface for Route Based VPN, uncheck the Aggregate and import unnumbered tunnels as hub and spoke option available in the Junos Space Network Management Platform GUI, Administration > Applications > Security Director. Select Modify Application Settings from the Actions menu or the shortcut menu and click VPNImport.

To know more about the requirements, benefits and limitations of a shared point-to-point st0 interface, see Shared Point-to-Point st0 Interface in Junos.

Note:

Make sure all requirements are met; otherwise, you’ll see an error message:

Protected network is not chosen for device with st0 interface

Configure Multiple VPN Objects to a Shared Point-to-Point st0 Interface

  1. Create a new site-to-site VPN. For details, see Create a Site-to-Site VPN.

  2. Select the newly created VPN, and click the edit icon.

  3. Select the device for which you want to modify the default st0 interface.

  4. Click View/Edit Tunnels.

    The Edit Tunnels window is displayed.

  5. Modify the tunnel interface and click OK and then Save the modified configuration.

  6. Publish and Update the newly created VPN.

    A Job Status window is displayed with details related to the job.

Related Documentation