In a route-based site-to-site IPsec VPN, what is a correct statement about its configuration?

In a route-based site-to-site IPsec VPN, a virtual IPsec interface is indeed created after completing the Phase 1 configuration. This interface acts as a logical interface on the FortiGate device, allowing it to handle the tunnel more like a standard interface rather than relying solely on the traditional policy-based VPN approach.

The creation of this virtual interface is crucial for routing as it enables the use of static routes or dynamic routing protocols to direct traffic into the VPN tunnel. The interface becomes the destination for traffic aiming to be encrypted and sent across the tunnel. This design allows for greater flexibility in routing configurations and is one of the primary features distinguishing route-based VPNs from policy-based ones.

This makes route-based configurations particularly suitable for setups requiring complex routing scenarios, like those involving multiple tunnels or advanced network architectures. In contrast, incorrect answers highlight limitations or misunderstandings about the IPsec VPN configurations. For example, while some policies may need to be prioritized, they do not necessarily need to be positioned at the top, nor is the hub and spoke topology incompatible with route-based VPNs. Additionally, route creation through quick mode selectors is not automatic; it requires manual setup or predefined configurations.