As Tim mentioned in his performance review, one of the RV220W's main attractions is its flexible VPN features, including IPSec, SSL, and PPTP. You can create an IPSec Site-to-Site VPN tunnel with the RV220W to another router and you can remotely connect to the RV220W via an IPSec tunnel using Cisco's Quick VPN software.
If you're not an IPsec fan, you can remotely connect to the RV220W via an SSL VPN tunnel, which supports Microsoft Windows 2000/XP/Vista, 32 and 64-bit/Windows 7, and Mac OSX 10.4+. Finally, you can remotely connect to the RV220W using Microsoft's built in PPTP software. I tested all of the remote solutions using 64-bit Windows 7 as my OS.
I used the VPN Wizard on the RV220W to set up a Site-to-Site IPSec VPN tunnel with a NETGEAR SRX5308 to test a Site-to-Site VPN tunnel with the RV220W. The settings on the tunnel on both sides were Main exchange mode, 3DES encryption, SHA-1 authentication, DH Group 2, and Perfect Forward Secrecy (PFS) enabled. Figure 6 is a screenshot of the RV220W's IPSec VPN connection status page.
Figure 6: IPsec connection status
I used Cisco's Quick VPN software, available on Cisco's website, to test remote client IPSec VPN tunnels. As with the RV120W, IPSec client setup is a matter of installing the software on the PC and creating a user name and password on the router. Once complete, you click Connect on the PC software, and you're connected as shown in the RV220W. Figure 7 is a screenshot of the RV220W's QuickVPN connection status page.
Figure 7: QuickVPN Connection Status
As I've stated before, I'm a fan of SSL VPN connections for their simplicity, and the RV220W is no exception. Remotely connecting to the router via the SSL VPN client was easy, since I didn't have to install client software other than the drivers that are automatically installed on the first connection to the router.
I did have to enable SSL VPN Server on the RV220W, as well as create an SSL user name and password, which was simple. Figure 8 is a screenshot of the RV220W's SSL VPN connection status page.
Figure 8: SSL VPN Connection Status
Updated 9/6/2011: Win 7 SSL VPN test update
I reported success with SSL VPN functionality in my review of the Cisco RV220W with the Windows 7 64-bit operating system. Since then, there have been posts to our forums with folks having problems with the RV220W SSL VPN and Win 7 64, which has led me to retest SSL VPN on the RV220W and write this update.
The first thing I did was default the RV220W and update the firmware to the latest version, 126.96.36.199. I then re-enabled and retested SSL VPN with the same PC I used for the RV220W review back in January. The steps I followed are below.
1. Enable remote access via the Administration-Management Interface-Web Access menu.
2. Add an SSL VPN user name and password via Administration-Management Interface-Users.
3. Start up IE64bit in Admin Mode, add the RV220W's WAN IP address to the IE trusted site list, and set IE trusted site security to low.
4. Browse to https://WAN_IP_ADDRESS.
5. Click on VPN Tunnel, select SSL VPN Tunnel Client Installer/Launcher.
As before, my Win 7 64 PC quickly set up an SSL VPN connection. I further tweaked the RV220W settings for Split Tunnel Support and added an additional subnet to the VPN tunnel, all worked well. The screenshot below is from a Win 7 64 PC.
Figure 8a: SSL Tunnel VPN Connection Status
I then tried SSL VPN on a newer PC, also running Win 7 64, and was unable to connect to the RV220W via SSL VPN! I poked around with browser security settings and other tweaks, but no joy. I continuously received the message "Error Virtual Passage Installation Failed!" I did a Google search on this error message and could see there are numerous posts on various forums for this error.
So why did SSL VPN work with one Win 7 64 PC and not the other? I noticed on both Win 7 64 PCs I had a Virtual Passage interface, but there was a difference. On the working Win 7 64 PC, the Virtual Passage interface showed an ISDN channel - Virtual Passage SSLDrv Adapter, circled below, which was missing on the non-working Win 7 64 PC.
Figure 8b: Virtual Passage properties
Windows Device Manager showed the Virtual Passage interface uses a Cavium Networks driver, which reminded me that I used the working Win 7 64 PC to test the NETGEAR SRX5308 awhile back. Both the Cisco RV220W and the NETGEAR SRX5308 use a Cavium CPU and Cavium software for SSL VPN connectivity. (A little more poking around revealed that Cavium acquired the Virtual Passage software from a company called MenloLogic.)
I then attempted to set up an SSL VPN connection from my newer Win7 64 PC to the NETGEAR SRX5308. The Virtual Passage installation succeeded.
With Virtual Passage successfully installed in my newer Win 7 64 PC via the NETGEAR SRX5308, I tried connecting to the Cisco RV220W, and it worked. Below is a screenshot showing the Windows 7 64 Control Panel System page and a successful SSL VPN connection to the RV220W on a Win 7 64 PC.
Figure 8c: Successful Win 7 64 bit SSL connection
Thus, it seems my original test with SSL VPN on the RV220W and Win 7 64 in the review worked because I was using a PC that had previously installed the Virtual Passage driver from a NETGEAR router.
I solved the Cisco RV220W problem by installing the Virtual Passage driver with a NETGEAR router. But that obviously doesn't help those who don't have an extra SSL VPN-capable NETGEAR laying around. We'll notify Cisco of our observation and hopefully we'll see a resolution soon.
End of 9/6/2011 update
To complete the gamut of RV220W VPN options, I tested a remote PPTP connection. Although the least secure of remote connectivity options, PPTP is a useful and also simple option that doesn't require installing client software or drivers on a Windows PC. On the RV220W, enable the PPTP server and add a PPTP user and password.
Adding a PPTP connection is done via the Set up a Connection or Network option in the Networking section of the Windows control panel. Once there, create a new VPN connection, enter the destination IP (or Dynamic DNS name) and ensure you've selected PPTP as the type of VPN. Right click and select Connect on your new connection to establish the tunnel. Figure 9 is a screenshot of the RV220W's PPTP VPN connection status page.
Figure 9: PPTP connection status
Cisco rates the RV220W at 90 Mbps for IPSec VPN throughput and 25 Mbps for SSL VPN throughput. Cisco's RV220W spec sheet doesn't provide a throughput rating for PPTP tunnels. But it does list VPN capacity for up to 25 Site-to-Site tunnels, 25 Quick VPN tunnels, 5 SSL tunnels, and 10 PPTP tunnels.
I tested the RV220W's VPN throughput with iperf using default TCP settings, with a TCP window size of 8KB and no other options. I ran iperf on two PCs running 64-bit Windows 7 with their software firewall disabled. All tests were done over a Gigabit network. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC.)
Table 2 summarizes my VPN test results. The first row is a baseline, showing throughput between my two PCs over a Gigabit LAN on the same subnet. The next rows show throughput using the Quick VPN connection, the SSL VPN connection, and the PPTP connection. I also added my results from testing of a previous router, the Netgear SRX5308, which I'll explain shortly.
|Quick VPN (IPSec)||38.3||49.3|
|SRX5308 VPN Throughput|
Table 2: RV220W VPN Throughput Test Summary
The Baseline shows my two PCs can send data between each other in either direction at over 300 Mbps, thus neither are a bottleneck. With one PC moved to the WAN side of the RV220W and connected via a VPN client, I then measured throughput via each of the VPN clients solutions.
As you can see, I measured 38.3-49.3 Mbps using IPSec, .72-12.5 Mbps using SSL, and 16.3-14.1 Mbps using PPTP. Compared to Cisco's ratings of 90 Mbps for IPSec and 25 Mbps for SSL, these numbers are lower than expected. On the plus side, IPSec throughput of the RV220W nearly doubles that of the RV120W's 25 Mbps.
Interestingly, the IPSec and SSL VPN throughput on the RV220W very closely match the throughput numbers of the NETGEAR SRX5308. In my review of the SRX5308, I measured 38.1-42.6 Mbps using IPSec and .72-13.2 Mbps using SSL. Looking at the components of the two routers, the similar performance makes sense, since they both use the Cavium CN5010 CPU and Broadcom BCM53115 Ethernet chip.