Description:
This article describes the differences between Policy-based and Route-based IPSec with LANCOM R&S®Unified Firewalls.
| Policy-based IPSec | Route-based IPSec | |
|---|---|---|
| General | It is sufficient to create a VPN connection with corresponding VPN rules. If data traffic is to be transmitted to the external network, the traffic is automatically routed via the correct VPN tunnel (as long as it is allowed by corresponding firewall rules). | The option Route-Based IPSec has to be activated. Additionally a routing entry for the VPN connection, which references the destination network, has to be created in the routing table 254. |
| Advantages | Lower configuration effort needed compared to route-based IPSec. | Simple analysis in the error state, as a capture of the VPN data traffic can be created via tcpdump due to the available VPN interface (xfrm101, xfrm102, etc.). Assigning a fixed IP address to Client-to-Site connections is only possible with route-based IPSec. Using an ANY-to-ANY VPN rule is only possible with route-based IPSec. Otherwise with policy-based IPSec the address 0.0.0.0/0 would be routed via the tunnel, which collides with the default route for the WAN connection. It is possible to use user-defined routing entries based on routing rules. |
| Disadvantages | More difficult analysis in the error state, as a capture of the VPN data traffic can only be created with greater effort (it would be necessary to create a capture of the WAN connection, which would then have to be decrypted afterwards). Not possible when assigning a fixed IP address to Client-to-Site connections. Not possible when using ANY-to-ANY VPN rules. | Greater configuration effort needed compared to policy-based IPSec. |
