While using Juniper Firewall devices, there are 2 ways of creating an IPSEC VPN, route based and policy based. There has been a lot of discussions around this area as to what is the difference. However there is one important way of differentiating these 2 types of VPN.

  Think about the other networking Giant, Cisco. Cisco’s PIX/ASA firewalls do VPN and they do only Policy Based VPN (Access-lists for interesting traffic). So the differentiating factor while we create VPN between these 2 devices would be;

Route Based VPN:

1. If everything behind both Juniper Firewall and PIX/ASA needs to be connected via VPN, then route based VPN would work.

2. If only one subnet needs to be allowed to connect via VPN, then again route based VPN would work.

However, say if you want to only use 2 subnet behind Juniper Firewall then it would not be easy with a single tunnel interface. So it is basically suggested to go for Policy Based VPN where you can define the source networks that needs to be secured.