The main difference between the two is the method used to determine which traffic is encrypted and tunneled, and which is not.
Policy-based VPNs encrypt and encapsulate a subset of traffic flowing through a specific interface based on a defined policy, most often configured using access lists, to match traffic to be tunneled. IPSec is used for tunneling and for securing communication. An example of such a configuration can be found in this lesson:
Route-based VPNs use layer 3 routed tunnel interfaces as endpoints of the VPN. Instead of matching specific traffic using an access list, all traffic routed to the tunneled interface is passed through the VPN. Such a configuration essentially creates a tunnel (using some tunneling method such as GRE or VTI tunnel interfaces) and encrypts the tunnel using IPSec. A couple of examples of route-based VPNs can be found in these lessons:
Here’s a summary of some of the differences between these two types of VPNs:
- matches traffic to be tunneled and encrypted using access lists
- does not support multicast
- does not support routing protocols passing through the VPN
- natively supports security/encryption
- somewhat complex configuration
- supports multicast (via GRE or VTI)
- supports routing protocols passing through
- all traffic passes through routed tunnel interface
- GRE and VTI do not natively deliver security, so IPSec must be added to secure the VPN
- simplified configuration
From these, you can also derive what VPN you should choose under which situations…
I hope this has been helpful!