IPsec VPN has two modes: route-based mode and policy-based mode. The term “VPN” mentioned below refers to IPsec VPN.

In route-based IPSec, configuration involves creating virtual tunnel interfaces (VTI) or similar interfaces and specifying which traffic uses the tunnel in the routing table, without needing to match source and destination in firewall policies; it is suitable for large-scale, hub-and-spoke, or dynamic subnet environments, and can integrate with dynamic routing protocols such as OSPF or BGP for automatic route updates and flexible traffic forwarding, offering flexible, scalable, and centralized management, but requires careful attention to route priority, MTU, NAT-T, and interface logic, with tunnel management relying heavily on routing. In policy-based IPSec, configuration requires explicitly specifying source, destination, and service in firewall policies, with each policy corresponding to one IPSec tunnel; it is suitable for point-to-point or specific traffic encryption, with straightforward configuration, but in large-scale or multi-site networks, the number of policies grows rapidly, making management complex, hindering integration with dynamic routing, and any network topology or address change requires manual policy updates, resulting in lower scalability and flexibility.