Hi @Alex_Samad
You said - "talking about Policy base vs routing to me doesn't matter".
But it actually matter a lot!
Have you every think what "sending traffic through the tunnel" actually means? You know there is not actual separate physical pipe you send traffic. "Sending traffic through the tunnel" means to tell the firewall to encrypt the traffic with and slap the additional headers.
Policy-based VS Route-based VPN is all about how the decision to encrypt or not is taken.
Palo Alto firewalls are applying only route-based VPN - This means that decision if received packet should be encrypted or not is taken based on the routing table lookup. If there is a route pointing to the logical tunnel interface that is matching the destination in the packet, firewall will send this packet for encryption.
IPsec standards dictates that packet still need to match the negotiated proxy-ids (encryption domains as called by other vendors). If you routing table send packet for encryption, but it does not match the proxy-id (that has been negotiated with the remote site), packet will be dropped.
For that reason Palo Alto recommend to use "wildcard" proxy-id (0.0.0.0/0) for local and remote whenever it is possible (when supported by remote side of the tunnel).
With route-based VPN if traffic doesn't match the route to the VPN it will take one of the other routes in your routing table, possible taking the default - meaning traffic will not be encrypted and send to your ISP, where it most probably will be dropped because the destination is private IP
Regarding the Cisco at the other end and the "unencrypted" statement by the other engineer:
- Although Cisco routers/FWs can support both route-based and policy-based. Based on your explanation it seems they are applying policy-based VPN.
- Similar to Palo, Cisco will also perform route lookup, however it will not have route pointing to any tunnel interface (because there is not such think as tunnel interface when you have policy-based VPN). Instead traffic will take the default route
- On the outside interface of the Cisco device there will be applied the VPN policy - defining/matching which source and destination IPs should be encrypted and to which peer it needs to go (what headers needs to be added).
- This is achieved by using access-lists (ACLs). Those ACLs are used to define proxy-ids for the VPN tunnel.
- If traffic matches those ACLs it will be encrypted, slapped with additional header and forwarded via the outside interface
- If traffic doesn't match ACLs/proxy-ids traffic will be simply forwarded via the outside interface without encryption. Again eventually dropped by the ISP as destination is most probably private IP
... View more
