JUNOS Differences between a Policy-Based VPN vs. a Route-Based VPN

Summary:

The article briefly covers the differences between a Policy-Based VPN vs. a Route-Based VPN for JUNOS. In addition, it explains how to identify quickly which type is configured for an existing VPN.

Problem or Goal:

Which type VPN is configured,  Route-Based or Policy-Based?
When should I configure Route-Based or Policy-Based?

Solution:

This article applies to:

• J Series devices running:
  • JUNOS 9.4 and above
  • JUNOS with Enhanced Services 8.5 through 9.3
• SRX Series devices

Policy Based:

• A Policy Based VPN is a configuration in which a specific VPN tunnel is referenced in a policy whose action includes Tunnel.  In Monitor > Security Policies, if the action includes both Permit and Tunnel then this is a Policy-Based VPN.  Entering the policy details will show if Pair Policy is configured.  If so then this indicates the policy is configured for a Bi-Directional Tunnel.
  
  

• A Policy-Based VPN makes sense for situations where only a single host (running NetScreen-Remote) or one subnet or network needs to be accessible across the VPN.  If multiple subnets need to be accessible then a Route-Based VPN makes more sense.
• For interoperability with certain third-party VPN devices which do not support the concept of route-based VPNs, a Policy-Based VPN is mandatory if routing to multiple networks across the tunnel.
• A tunnel policy will always have an action of Permit and Tunnel.  A Deny action is not allowed.

Route Based:

• A Route-Based VPN is a configuration in which the policy does not reference a specific IPSec VPN. Instead, a VPN tunnel is indirectly referenced by a route in which the next-hop points to a specific Secure Tunnel (st0) interface. The st0 interface is associated with a specific IPSec VPN through the Bind-Interface command in the [security ipsec vpn vpn-name] hierarchy.
• The st0 interface can be numbered or unnumbered. If it is unnumbered, the st0 interface borrows the IP address from the security zone interface.
• A tunnel is a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, JUNOS allows you the freedom to separate the regulation of traffic from the means of its delivery.
• If the st0 interface does not need to support Policy-Based NAT, then the st0 interface can be specified as unnumbered. An unnumbered ST interface must still be bound to a security zone.  An egress interface must also be bound to the security zone whose IP address the unnumbered st0 interface borrows.

A Route-Based VPNs must include the following configuration information:

• Secure Tunnel (st0) Interface
• Phase I VPN Gateway configuration (listed under Configuration > Quick Configuration > VPN > IKE on J-Web)
• Phase II VPN configuration (listed under Configuration > Quick Configuration > VPN > IPSec Autokey on J-Web); including:
  • Local and Remote Proxy ID 
  • IPSec configuration bound to st0 interface
• Route for remote network pointing to the st0 interface for the next-hop
• Policy specifying action of "Permit" to allow traffic, however an action of Deny is also allowed to block certain hosts.