Two types of VPNs can be configured on the SRX—policy-based VPNs and route-based VPNs—and their underlying IPsec functionality is essentially the same in terms of traffic being encrypted. It’s the implementation that’s different and that can be used to leverage administrative functionality.
Not all vendors provide both policy- and route-based VPNs; however, there are no compatibility issues with running a policy-based VPN to a route-based VPN, with one exception: when running dynamic routing protocols such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), or Protocol-Independent Multicast (PIM) on the VPN, only route-based VPNs can be used.
Policy-based VPNs utilize the power of a firewall security policy to define what traffic should be passed through a VPN. Policy-based VPNs allow traffic to be directed to a VPN on a policy-by-policy basis, including the ability to match traffic based on the source IP, destination IP, application, and respective to and from zones. When using policy-based VPNs the action of “Tunnel” is used, which implies that the traffic is permitted, along with defining the VPN to be used in that policy. Additional policy processing such as application services (IPS, URL filtering, antivirus, logging, etc.) can be used in policy-based VPNs.
When using policy-based VPNs, the proxy IDs are derived from the firewall policy that is used. The policy’s source address ...