Clarification of IPSec tunnel mode terminology
-
I have noticed that inconsistent terminology is used to describe IPsec VPNs.
The page IPsec Tunnel Design defines these 3 IPsec tunnel modes:
- Policy-based IPsec
- Route-based IPsec (VTI)
- Transport Mode
All 3 contain "tunnel" in the description.
The page Advanced IPsec Settings references these 3 IPsec tunnel modes:
- Tunnel
- VTI
- Transport
Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0)
All IPsec traffic, including tunnel mode, transport mode, and VTI mode
Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode trafficThe page Phase 2 Settings mentions
- Policy-based
- Tunnel
- Routed (VTI)
- Transport
Based on the above, it appears that the full name combinations of IPsec tunnel modes are:
- Policy-based (tunnel mode)
- Route-based / Routed (VTI)
- Transport mode
Am I correct so far in my understanding?
These terms are not used consistently throughout the documentation, forums, and within pfSense.
- "Tunnel" mode seems to be used more frequently than "Policy-based" for IPsec VPNs.
- "Routed" or "route-based" are used interchangeably with "VTI."
- The similar terms "policy route" or "policy-based routing" are frequently used to refer to specifying a gateway in a firewall rule, but it is unclear how this is related to "Policy-based" VPNs.
- This results in references to "Tunnel mode" VPN tunnels and also "Virtual Tunnel Mode" VPN tunnels.
I think that updating the documentation and pfSense to consistently use something like "Policy-based (tunnel)," " Routed-based (VTI)," and "Transport mode), or "Policy-based," "Route-based," and "Transport mode" would improve clarity and understanding when referring to IPsec VPNs.