搞清楚了，我现在用的确实是属于 router based 的一种。参考. 并且确实是用户态实现的。
Based on our own userland IPsec implementation and the kernel-libipsec plugin it is possible to create route-based VPNs with TUN devices. Similar to VTI devices or XFRM interfaces the negotiated IPsec policies have to match the traffic routed via TUN device. In particular because packets have to be copied between kernel and userland it is not as efficient as the solutions above (also read the notes on kernel-libipsec).