- Date:
- Nov. 19, 2020
- Author:
- Global Knowledge
There are several advantages to implementing a route-based VPN (a.k.a. tunnel interface VPN) instead of asite-to-site one. While both establish a secure tunnel between appliances, a route policy controls the traffic that passes through the tunnel, giving you more flexibility for the services (ports) you want to open across the tunnel as well as redundancy to reroute traffic in case of an outage between the appliances.
Let’s say you have built tunnel interfaces between three sites: New York, Los Angeles, and Houston. They all have route policies directly to each other, and you must build a backup policy to reroute the traffic if the direct tunnels go down. Consider this scenario: The New York tunnel interface to Los Angeles goes down, but the interfaces between New York and Houston and between Houston and Los Angeles are still up. You can reroute traffic from New York to Los Angeles via Houston. You can accomplish this by having a second route policy in New York with a different metric whose destination network is still Los Angeles. But, you must use the tunnel interface policy that sends traffic to Houston first by making that selection under the Interface field. Houston, seeing the destination network is actually Los Angeles, will use its tunnel to Los Angeles to then route the traffic. Same thing happens with traffic from Los Angeles back to New York.
A site-to-site VPN does not give you that type of redundancy since the network is configured in the policy itself. Tunnel interface offloads that configuration from source network to destination network to a route policy. Tunnel interface also has the ability to turn on advanced routing, which utilizes either RIP or OSPF routing protocols. In the Advanced tab of a tunnel interface policy, you will find a check box for advanced routing. Once that’s on, you can go to the Network Routing window and switch the view to Advanced Routing. There, you will see the tunnel interface policy which will allow you to turn on RIP, a distance vector routing protocol that uses the path with the least amount of hops between points, or OSPF, a link state routing protocol that uses a metric of link speed to determine the best path between points. Once RIP or OSPF is configured, the appliances will advertise their routes to each other, which avoids needing to build static route policies between the tunnel interface VPNs. It will become dynamic, which is a definite advantage over site-to-site.
Develop these skills in the following courses
- SNSA - SonicWall Network Security Administrator
- SonicWall Network Security Professional (SNSP)
- Network Administrator Essentials
How to configure redundant routes for route-base VPNs
For details on configuring redundant routes for route-based VPN, take a look at the SonicWall's How Can I Configure A Tunnel Interface VPN (Route-Based VPN)? article.
How to configure OSPF
Read SonicWall's Configuring Dynamic Route Based VPN Using OSPF (Tunnel Interface VPN With Advanced Routing) article.
