Decoding Junos VPN Types: Policy vs Route-Based VPNs

When studying for the JNCIS-ENT certification, understanding the different types of VPNs (Virtual Private Networks) available in Junos is crucial. In this post, we will delve into the two main types of VPNs: Policy-Based and Route-Based VPNs. We will discuss their characteristics, use cases, and configuration examples.

Policy-Based VPNs

A Policy-Based VPN is a VPN that is configured by defining policies that dictate the traffic flow between the VPN endpoints. The policy specifies which traffic should be encrypted and sent through the VPN tunnel.

Characteristics of Policy-Based VPNs

• The policy is defined on the basis of source IP, destination IP, and/or specific protocols.
• The VPN tunnel is only active when there is traffic that matches the policy.
• There is no need for a routing protocol to route traffic through the tunnel.

Configuration Example

Here is a basic example of how to configure a Policy-Based VPN on a Junos device:

set security policies from-zone untrust to-zone trust policy vpn-policy match source-address local-net
set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address remote-net
set security policies from-zone untrust to-zone trust policy vpn-policy match application any
set security policies from-zone untrust to-zone trust policy vpn-policy then permit tunnel ipsec-vpn vpn-tunnel

In this example, vpn-policy is the policy that matches traffic from local-net to remote-net and sends it through the vpn-tunnel.

Route-Based VPNs

A Route-Based VPN is a VPN that uses a Virtual Tunnel Interface (VTI) to route traffic through the VPN tunnel. The VTI acts as a logical interface, and traffic is routed to this interface to be sent through the VPN tunnel.

Characteristics of Route-Based VPNs

• The VPN tunnel is always active, regardless of the traffic.
• A routing protocol or static routes can be used to route traffic through the tunnel.
• It allows for more flexibility and complex configurations, such as hub-and-spoke VPNs.

Configuration Example

Here is a basic example of how to configure a Route-Based VPN on a Junos device:

set interfaces st0 unit 0 family inet address 10.0.0.1/30
set security ike policy ike-policy mode main
set security ike policy ike-policy proposal-set standard
set security ike gateway ike-gateway ike-policy ike-policy
set security ike gateway ike-gateway address 203.0.113.1
set security ipsec policy ipsec-policy proposal-set standard
set security ipsec vpn vpn-tunnel ike gateway ike-gateway
set security ipsec vpn vpn-tunnel ike ipsec-policy ipsec-policy
set security ipsec vpn vpn-tunnel bind-interface st0.0
set routing-options static route 192.0.2.0/24 next-hop st0.0

In this example, st0.0 is the VTI that is bound to the vpn-tunnel. Traffic to 192.0.2.0/24 is routed through this interface.

Conclusion

Understanding the differences between Policy-Based and Route-Based VPNs is essential for network engineers studying for the JNCIS-ENT certification. While Policy-Based VPNs are simpler and more straightforward, Route-Based VPNs offer more flexibility and are suitable for more complex network designs. The choice between the two depends on the specific requirements of your network.