Palo Alto Networks : Policy based VPN vs Route based VPN

Palo Alto Networks : Policy based VPN vs Route based VPN

Policy-Based VPN (PBF) and Route-Based VPN (RBF) are two techniques of establishing Virtual Private Networks (VPNs) in network security and routing, respectively. 

PaloAlto Networks : Policy Based Vs Route Based VPN
Fig 1.1- Policy based VPN vs Route based VPN

Route-Based VPN

A route-based VPN is one in which the policy does not specify a specific VPN tunnel. A VPN tunnel is instead addressed indirectly through a route that links to a specific tunnel interface. The tunnel interface can be assigned to either a VPN tunnel or a tunnel zone. 

Traffic is encrypted and decrypted as it travels across the tunnel interface. A tunnel interface must be attached to a VPN tunnel while it is in a security zone. This is required to set up a routing-based VPN setup. 

Tunnel interfaces can be either numbered or unnumbered. If the tunnel interface is unnumbered, it normally borrows the IP address from the security zone interface.

Reasons for Using a Route-Based VPN:

  • Source or Destination NAT (NAT-Src, NAT-Dst) needs to occur as it traverses the VPN
  • Overlapping Subnets/IP Addresses between the two LANs
  • Hub-and-spoke VPN topology
  • Design requires Primary and Backup VPN
  • A Dynamic Routing Protocol (i.e. OSPF, RIP, BGP) is running across the VPN
  • Need to access multiple subnets or networks at the remote site, across the VPN

Policy-based VPN

A policy-based VPN specifies the tunnel using the action "IPSec" within the policy itself. Additionally, only one policy is needed for a policy-based VPN. Two policies are developed for a route-based VPN, one for inbound traffic and the other for outgoing traffic, both having the standard "Accept" action.

Reasons for Using a Policy-based VPN

  • Remote VPN device is different than what you administer 
  • Need to access only one subnet or one network at the remote site, across the VPN

Palo Alto Networks : Policy based VPN vs Route based VPN
Fig 1.2- Palo Alto Networks : Policy based VPN vs Route based VPN

To summarize, the decision between PBF and RBF is determined by your individual networking and security needs. PBF provides granular traffic routing control, making it excellent for selective VPN routing, but RBF simplifies VPN implementation by depending on routing decisions, which is advantageous in bigger and more complicated network settings.

Continue Reading...

More on PaloAlto..