NSE4 Question #466: Real Exam Question with Answer & Explanation

Question

Which of the following statements is true regarding the differences between route-based and policy-based IPsec VPNs? (Choose two.)

Options

• AThe firewall policies for policy-based are bidirectional. The firewall policies for route- based are
• BIn policy-based VPNs the traffic crossing the tunnel must be routed to the virtual IPsec
• CThe action for firewall policies for route-based VPNs may be Accept or Deny, for policy- based
• DPolicy-based VPN uses an IPsec interface, route-based does not.

Explanation

Policy-based IPsec VPNs use bidirectional firewall policies with an explicit 'IPsec' action, whereas route-based VPNs use separate unidirectional policies that simply 'Accept' traffic routed to a virtual IPsec interface.

Common mistakes.

• B. In policy-based VPNs, traffic is not routed to a virtual IPsec interface; instead, the policy itself specifies which traffic should be encrypted and sent over the tunnel. Routing to a virtual IPsec interface is characteristic of route-based VPNs.
• D. Route-based VPNs do use a virtual IPsec interface (e.g., a 'vpn-tunnel' interface) to which routes are added, whereas policy-based VPNs rely solely on the firewall policy to define the encrypted traffic without a dedicated virtual interface for routing.

Concept tested. Route-based vs. Policy-based IPsec VPN characteristics

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/99440/comparing-route-based-and-policy-based-ipsec-vpns

No community discussion yet for this question.