Route-Based VPN
With route-based VPNs, you don’t need to specifically mention a VPN tunnel in a policy. The number of route-based VPN tunnels you can create depends on the device’s support for route entries or virtual interfaces, whichever is lower. Route-based VPNs allow NAT for virtual interfaces. They are typically used for hub-and-spoke topologies. With route-based VPNs, the traffic regulation is independent of the delivery method. You can configure multiple policies for traffic flowing through a single VPN tunnel, and only one IPsec SA is active. Additionally, in a route-based VPN configuration, you can create policies that deny traffic to a destination reached through a VPN tunnel. Route-based VPNs also support the exchange of dynamic routing information through VPN tunnels. You can enable dynamic routing protocols like OSPF on a virtual interface bound to a VPN tunnel.
Policy-Based VPN
With VPN tunnels, you can create multiple tunnels that are part of a policy. This policy includes details like the source, destination, application, and action, and allows VPN traffic.
The number of policy-based VPN tunnels you can create depends on the device’s limit for policies.
If you need to use NAT for tunneled traffic, policy-based VPNs cannot be used.
Policy-based VPNs are not suitable for hub-and-spoke topologies.
In a policy-based VPN configuration, the action must be set to “allow” and include a tunnel.
Dynamic routing information cannot be exchanged in policy-based VPNs.
