Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clarification of IPSec tunnel mode terminology

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 130 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrew_cb
      last edited by andrew_cb

      I have noticed that inconsistent terminology is used to describe IPsec VPNs.

      The page IPsec Tunnel Design defines these 3 IPsec tunnel modes:

      • Policy-based IPsec
      • Route-based IPsec (VTI)
      • Transport Mode

      All 3 contain "tunnel" in the description.

      The page Advanced IPsec Settings references these 3 IPsec tunnel modes:

      • Tunnel
      • VTI
      • Transport

      Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0)
      All IPsec traffic, including tunnel mode, transport mode, and VTI mode
      Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic

      The page Phase 2 Settings mentions

      • Policy-based
      • Tunnel
      • Routed (VTI)
      • Transport

      Based on the above, it appears that the full name combinations of IPsec tunnel modes are:

      • Policy-based (tunnel mode)
      • Route-based / Routed (VTI)
      • Transport mode

      Am I correct so far in my understanding?

      These terms are not used consistently throughout the documentation, forums, and within pfSense.

      • "Tunnel" mode seems to be used more frequently than "Policy-based" for IPsec VPNs.
      • "Routed" or "route-based" are used interchangeably with "VTI."
      • The similar terms "policy route" or "policy-based routing" are frequently used to refer to specifying a gateway in a firewall rule, but it is unclear how this is related to "Policy-based" VPNs.
      • This results in references to "Tunnel mode" VPN tunnels and also "Virtual Tunnel Mode" VPN tunnels.

      I think that updating the documentation and pfSense to consistently use something like "Policy-based (tunnel)," " Routed-based (VTI)," and "Transport mode), or "Policy-based," "Route-based," and "Transport mode" would improve clarity and understanding when referring to IPsec VPNs.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.