Difference between route based vpn and policy based vpn

Hi, I want to understand the difference between route based vpn and policy based vpn with respect to how it is different for the same set-up? For eg. If I have two sites (A and B) and each sites have subnets (X and Y). The Goal is send the traffic encrypted between these two subnets, but how the route based or policy based makes the difference here?

And what advantages will I get in using one over the other in the above set-up

               ┌────────┐                        ┌────────┐
               │site A  │         Internet       │site B  │
 Subnet X──────┤        ├────────────────────────┤        ├───────Subnet Y
               └────────┘                        └────────┘

Thanks in advance!

Hello Amit

The main difference between the two is the method used to determine which traffic is encrypted and tunneled, and which is not.

Policy-based VPNs encrypt and encapsulate a subset of traffic flowing through a specific interface based on a defined policy, most often configured using access lists, to match traffic to be tunneled. IPSec is used for tunneling and for securing communication. An example of such a configuration can be found in this lesson:

Route-based VPNs use layer 3 routed tunnel interfaces as endpoints of the VPN. Instead of matching specific traffic using an access list, all traffic routed to the tunneled interface is passed through the VPN. Such a configuration essentially creates a tunnel (using some tunneling method such as GRE or VTI tunnel interfaces) and encrypts the tunnel using IPSec. A couple of examples of route-based VPNs can be found in these lessons:

Here’s a summary of some of the differences between these two types of VPNs:


  • matches traffic to be tunneled and encrypted using access lists
  • does not support multicast
  • does not support routing protocols passing through the VPN
  • natively supports security/encryption
  • somewhat complex configuration


  • supports multicast (via GRE or VTI)
  • supports routing protocols passing through
  • all traffic passes through routed tunnel interface
  • GRE and VTI do not natively deliver security, so IPSec must be added to secure the VPN
  • simplified configuration

From these, you can also derive what VPN you should choose under which situations…

I hope this has been helpful!



Thanks a ton for explanation!

If you can give an example of each configuration for the same set-up, it would be great!

Hello Amit

There is nothing that I can find that is readily available to compare two identical situations where each one uses a different type of VPN. However, if you take a look at the IPSec Static Virtual Tunnel Interface lesson and the Cisco IPsec Tunnel Mode Configuration lesson and compare them side by side, you will see the primary differences clearly.

I hope this has been helpful!