Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

VPN Features

One of the SL1000's saving graces - and probably the feature that will be the most attractive to prospective buyers - is its phenomenal VPN performance. I'll get to how phenomenal shortly, but first let's look at the tunnel setup options.

The SL1000 can handle twenty five site-to-site or Remote user access IPsec tunnels. Figure 12 shows the setup options when using a Preshared Key, while Figure 13 shows how the screen changes if you want to use manual keying.

ASUS SL1000 - Example VPN Site-to-Site setup

Figure 12: Example VPN Site-to-Site setup
(click on the image for a full-sized view)

ASUS SL1000 - Tunnel setup with Manual key

Figure 13: Tunnel setup with Manual keying
(click on the image for a full-sized view)

Instead of giving you separate "radio buttons" to set IKE and IPsec parameters, you get drop downs of pre-made combinations. As far as I can tell, all the combinations you'd want are present, but given the abbreviations and terminology used, you might have a hard time finding the ones you need.

For pre-shared key IKE proposals, you get combinations of DES and 3DES encryption, SHA-1 and MD5 authentication and Diffie-Hellman Groups 1, 2 and 5. IPsec proposal groupings include combinations of none, DES and 3DES encryption, none, SHA-1 and MD5 authentication and AH and ESP encapsulation.

There are a few other settings such as the Chained Authentication Header and Xauth (Hidden away in the Aggressive IKE Proposal settings) options that I don't see very often and the Perfect Forward Secrecy (PFS) that I do. One switch I don't see is the ability to enable the chatty NetBIOS broadcasts to enable Windows network browsing (Network Neighborhood / My Network Places). So you'll have to know the IP address of your desired shares or configure Inbound and Outbound ACLs to pass the NetBIOS ports (TCP and UDP Ports 135, 137-139, and 445). Note also that certificate-based authentication is also not supported.

While I'm on the subject of ACLs and IPsec tunnels, I'll make you aware of an SL1000 usability issue that I've previously not encountered in any other SOHO VPN endpoint routers. Since it cost me so much time in getting a tunnel up and running, I thought I'd pass it along:

Once you get an IPsec tunnel successfully established, you also need to configure inbound and outbound ACLs in order to allow traffic to flow through the tunnel.

Once again, something that should be easy is made difficult.

As I mentioned above, the SL1000 can handle site-to-site (router to router) and Remote Access (single client) tunnels. But choosing the Remote Access method brings up a User Group selector and also requires configuring the VPN Virtual IP under the Remote Access menu. Quite frankly, folks, this all made my head hurt and I never was able to get a tunnel working via the Remote Access option.

This doesn't mean that you can't have road warriors securely connecting into your LAN via the SL1000. You'll just have to use site-to-site mode and a VPN client application. I had an old version of SSH's now-departed Sentinel client, which I used to get a tunnel up and running from my WinXP notebook pretty quickly.

Tip TIP: In the past, VPN clients have had rip-off level pricing. But NETGEAR's VPN01L (single license) or VPN05L (5 licenses) - essentially a retail version of the SafeNet IPsec client - provide a resonably-priced (about $40) option.

You can try to use WinXP / 2000's built-in IPsec client if you're patient - I was able to get it to work, but I've had a lot of practice - but only if you can deal with static IP addresses at both ends of the connection - rare with connections from folks on the go.

Tip TIP: If you want to learn how to configure the WinXP built-in IPsec client manually see our Problem Solver.

Finding out what's going wrong with the mating dance between IPsec client and gateway requires good logging of the whole VPN setup process. Unfortunately, the SL1000 isn't very helpful in this regard. You can try using its built-in log page, but I recommend a syslog daemon instead. With either of these methods, however, the log data is in pretty raw format, which makes it hard to tell what's happening.

Finally, if you can't, or don't want to, use the SL1000's IPsec endpoints, you can instead use VPN pass through with IPsec, PPTP or L2TP client applications. And if you want to substitute a different IPsec server for the SL1000's, you can configure an Inbound ACL for it, but not for PPTP or L2TP gateways.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi everyone, this is my first post ever here. Hope the answers will be helpful to other users, too …I'm trying to connect two RT-N14UHP routers with t...
HiRT-AC87U, Firmware Version 384.9Router 1, VPNRouter 2, Non VPNThe both routers do have VPN servers setup in them, but mostly Router 2 is used with p...
Hi,Is this possible?I wanna plug second router to first (1lan port) second router (wan port)Set vpn on first router for mac address of second router, ...
Hello all!I was planning to use my RT-AC56U as a serial debug bridge for an Odroid board which is close by. I hooked up a USB cp210x adapter into its ...
I was a little surprised that my router doesn't come with some kind of throughput measurement tool. I figured I could mount a disk on the router and m...

Don't Miss These

  • 1
  • 2
  • 3