I am confused about policy based VPNs and route-based VPNs...How to easy understand whether or not ipsec configuration is route-based vpn or policy-based vpn?
Easiest way :- Check if st0 interface is binded to the ipsec configuration then its route based, else policy.
set security ipsec vpn ipsec_vpn1 bind-interface st0.0
Looking at the configuration, you will able to verify the kind of VPN. Also, in the command of "show security ipsec security-associations index <X> detail", if its a policy based VPN, you see the Policy-name but will not be seen in the route based.
In route based VPN, you use a tunel interface where you the direct the traffic to that has to take the VPN. You would see the st0 interface being used. This is not need in the policy based VPN. The traffic selectors are to be configured in this case which is not necessary in otherwise.
In policy based VPN, you refer the VPN in the policy thats configured for the traffic that has to take the VPN.
For more differences and detail, please refer to https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/policy-based-route-based-vpn-comparing.html
And configuration in short and compare, https://www.tunnelsup.com/juniper-srx-configurations-for-route-based-and-policy-based-vpn/
Hope this helps.
Thanks,PradeepPlease Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Another question is:
When checking ike and ipsec spoke vpn device;
Spoke>sh security ike security-associations ----->there are two UP sessions and each one is synchorinised to each hub VPNs.
Spoke>show security ipsec security-associations---->there are 4 U sessions(first 2 of them to 1st hub; last 2 to 2nd hub)
Can I ask why 2 UP sessions there are in ike? why not one is UP another one is Down(until first one gets down) Can I understand is this kind of load blancing, like 50% ipsec traffic goes to hub1 and another half goes to hub2 at the same time? And how to test it to make sure entire traffic goes hub1 or hub2?
Secondly why are there 4 ipsec sessions at ipsec?
They are two independent IKE SA's built to two different sites. These are just IKE SA's is just a channel to exchange secure information between the peers to establish the tunnel. This is just phase 1 post which phase 2 has to complete after which traffic passes through the tunnel.
IKE SA is bidirectional and hence you see a single SA for each hub. The IPsec SAs are unidirectional so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-way SAs between the peers. Two-way communication consists of two SAs, one for each direction.
Regarding the load balancing, it depends on configuration as to how to route the traffic to the destination. You configure ECMP routes to the same destination using two VPN's or you these two VPN's to two different destinations or use one as a backup if the first goes down.