A more secure way to access devices over the Internet is through the use of VPNs. The USG100 supports multiple VPN technologies, including IPSec Site-Site VPNs, IPSec Client VPNs, and SSL Client VPNs. I tested each of these VPN capabilities, and found strengths and weaknesses on all three.
In Figure 12 below, you can see a status display of two active VPN connections. The first is an IPSec Site-Site VPN connection, the second is an IPSec Client VPN connection. The icon on the far right under Action indicates the connections are active, demonstrating the USG100's ability to run VPN connections of multiple types, simultaneously.
Figure 12: VPN Configuration
IPSec Site-Site tunnels enable the USG100 to connect to other routers over a public network such as the Internet. In my testing, I liked the USG100's simplicity in configuring an IPSec Site-Site VPN tunnel, but was disappointed in interoperability and throughput.
I attempted to set up a Site-Site VPN tunnel between the ZyXEL USG100 and a NETGEAR FVS336G [reviewed]. I've used the NETGEAR in the past to successfully test Site-Site VPN tunnels with other routers and security appliances. Although I could get the ZyXEL and NETGEAR to establish a connection, I couldn't pass traffic through the connection.
ZyXEL gave me access to a USG100 in their lab, and I was able to easily set up a cross country tunnel over the Internet between my USG100 to ZyXEL’s USG100. ZyXEL supports all the typical encryption and authentication algorithms, including DES, 3DES, and AES-128/192/256 encryption along with MD5 and SHA-1 authentication. I used the default settings of DES encryption and SHA-1 authentication.
I configured a Dynamic DNS (DDNS) URL as my WAN interface identification for the VPN tunnel. The USG100 supports DDNS service through DynDNS, Dynu, No-IP, and Peanut Hull. The ZyXEL end of the VPN tunnel was on a static public IP address.
To measure VPN throughput, we used Jperf to generate traffic from my LAN to ZyXEL's LAN, and then in reverse from ZyXEL's LAN to my LAN. Prior to measuring VPN throughput, we used a commonly available web site (www.speakeasy.net) to measure our ISP upload and download speeds. This is important, as VPN throughput can't exceed the lower value of the upload speed on the transmit side and the download speed on the receive side.
The first line of Table 1 shows the Jperf throughput measured from my LAN to ZyXEL's LAN. The Tx Speed of 790 Kbps is my upload speed, while the Rx Speed of 308 Kbps is ZyXEL's download speed, thus the maximum possible speed from my LAN to ZyXEL's LAN will be 308 Kbps.
Running Jperf at default settings, we were able to measure throughput from my LAN to ZyXEL's LAN over the VPN at an average speed of 270 Kbps, which is 88% of the maximum possible speed of 308 Kbps.
(Yes, it is unusual to see such a low download speed of only 308 Kbps. ZyXEL has throttled the download speed to their lab for network management purposes.)
|Device||ISP Speed (Kbps)||VPN Throughput (Kbps)||% of Maximum Possible Speed|
Tx Speed (upload)
Rx Speed (download)
|ZyXEL Lab USG100||6672||4880||742||15%|
Table 1: VPN Performance Test Summary
The second line of the table below shows the Jperf throughput measured from ZyXEL's LAN to my LAN. The Tx Speed of 6672 Kbps is ZyXEL's upload speed, while the Rx Speed of 4880 Kbps is my download speed, thus the maximum possible speed from ZyXEL's LAN to my LAN will be 4880 Kbps.
In this direction, we measured throughput over the VPN connection at an average speed of 742 Kbps, which is just 15% of the maximum connection speed of 4880 Kbps.
Since we're using the public Internet as transport, it is hard say whether the ZyXEL is the limiting factor here or whether it the public Internet. But the measured speeds are lower than one might expect for a business-class UTM.
IPSec Client VPNs also had some strength and weaknesses. ZyXEL uses the Layer 2 Tunneling Protocol (L2TP) and IPSec technologies for IPSec Client VPN Connections. The strength of this solution is LT2P software is included in Windows XP and Vista, eliminating the hassle of loading and configuring another application. The USG100 will support up to 50 IPSec Clients without any additional licensing fees.
The ZyXEL manual has a useful configuration example on how to set up both the USG100 and the Client PC, which I followed step by step. As with other configurations on the USG100, there were multiple steps, including setting up the VPN Gateway, VPN Connection, multiple Address Objects, a user name and password, and a Policy Route.
I configured my Vista laptop for a L2TP/IPSec VPN Connection by entering the preshared key, user name and password, the IP address of the USG100, and enabling PAP as shown in Figure 13. Note, PAP, or Password Authentication Protocol, is a common technology for authentication, but considered less secure since authentication is passed unencrypted. Once configured, I had no problem connecting to the USG100 from my Vista laptop.
Figure 13: PAP Configuration
The weakness of this solution, as stated in the ZyXEL manual, is the L2TP/IPSec VPN Connection won't work over a NAT, so the Client PC has to have a Public IP address. If the remote clients are using an aircard or have their home PCs directly connected to their ISP, this limitation shouldn't be a problem. If remote clients need access from WIFI connections behind a NAT, common in hotels, libraries, airports, coffee shops, etc., this limitation is a problem.