Which item is different when configuring a route-based VPN gateway than a policy-based VPN gateway?

Which item is different when configuring a route-based VPN gateway than a policy-based VPN gateway?

Which item is different when configuring a route-based VPN gateway than a policy-based VPN gateway?

A.
Gateway

B.
Security Proposal

C.
Outgoing interface

D.
Binding a tunnel interface

Explanation:
Policy Based
1. A Policy Based VPN is a configuration in which a specific VPN tunnel is referenced in a policy whose action is set as tunnel.
2. When a numbered tunnel interface is in a tunnel zone, you cannot bind a VPN tunnel to the tunnel interface. You can only bind a tunnel to the tunnel zone. This allows multiple tunnel interfaces to link to a single tunnel, or multiple tunnels to link to a single tunnel interface. In such cases, you must create a Policy Based VPN configuration.
3. Only a numbered tunnel interface (that is, an interface with an IP address and netmask) can support Policy Based VPN.
Route Based
1. A Route Based VPN is a configuration in which the policy does not reference a specific VPN tunnel. Instead, a VPN tunnel is indirectly referenced by a route that points to a specific tunnel interface. The tunnel interface may be bound to a VPN tunnel or to a tunnel zone.
2. When a tunnel interface is in a security zone, you must bind a VPN tunnel to the tunnel interface. Doing so allows you to create a routing- based VPN configuration. The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface.
3. You can consider a tunnel as a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, ScreenOS allows you the freedom to separate the regulation of traffic from the means of its delivery.
4. If the tunnel interface does not need to support Policy Based NAT, and your configuration does not require the tunnel interface to be bound to a tunnel zone, you can specify the interface as unnumbered. You must bind an unnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone. You must also specify an interface bound to that security zone whose IP address the unnumbered tunnel interface borrows.



Leave a Reply 0

Your email address will not be published. Required fields are marked *