Review the exhibit. In this route-based VPN configuration, where are policies going to be required?
208 – Trust toUntrust
208 -Untrustto Trust
5XT – Trust toUntrust
5XT -Untrustto Trust
Route-basedVPNs, like policy-basedVPNs, can also use either manual key orautokeyIKE, but are configured and function somewhat differently. Route-basedVPNsdo not make reference to a tunnel object, but rather the destination address of the traffic. When theNetScreenappliance performs a route lookup to see which interface it should use to send the traffic, it sees there is a route through a tunnel interface that is bound to a VPN tunnel and uses that interface to deliver the traffic.
There are some advantages to using a route-based VPN. Using route-basedVPNsis a good way to conserve system resources. Unlike policy-basedVPNs, you can configure multiple policies that allow or deny specific traffic to flow through a route-based VPN, and all of these policies will use a single security association. Route-basedVPNsalso offer the ability to exchange dynamic routing information, such as border gateway protocol (BGP), on the tunnel interface. Route-basedVPNsallow you to create policies that have an action of deny, unlike policy-based VPNs. Route-basedVPNsalso have different limitations than policy-basedVPNs.Withroute-based VPNs, you are limited by one of two things: the number of route entries your appliance supports, or the number of tunnel interfaces your appliance supports, whichever of the two is the least. In this scenario we would configurethenpolicieson the 208 firewall.