Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

VPN

A more secure way to access devices over the Internet is through the use of VPNs. The USG100 supports multiple VPN technologies, including IPSec Site-Site VPNs, IPSec Client VPNs, and SSL Client VPNs. I tested each of these VPN capabilities, and found strengths and weaknesses on all three.

In Figure 12 below, you can see a status display of two active VPN connections. The first is an IPSec Site-Site VPN connection, the second is an IPSec Client VPN connection. The icon on the far right under Action indicates the connections are active, demonstrating the USG100's ability to run VPN connections of multiple types, simultaneously.

VPN Configuration
Click to enlarge image

Figure 12: VPN Configuration

IPSec Site-Site tunnels enable the USG100 to connect to other routers over a public network such as the Internet. In my testing, I liked the USG100's simplicity in configuring an IPSec Site-Site VPN tunnel, but was disappointed in interoperability and throughput.

I attempted to set up a Site-Site VPN tunnel between the ZyXEL USG100 and a NETGEAR FVS336G [reviewed]. I've used the NETGEAR in the past to successfully test Site-Site VPN tunnels with other routers and security appliances. Although I could get the ZyXEL and NETGEAR to establish a connection, I couldn't pass traffic through the connection.

ZyXEL gave me access to a USG100 in their lab, and I was able to easily set up a cross country tunnel over the Internet between my USG100 to ZyXEL’s USG100. ZyXEL supports all the typical encryption and authentication algorithms, including DES, 3DES, and AES-128/192/256 encryption along with MD5 and SHA-1 authentication. I used the default settings of DES encryption and SHA-1 authentication.

I configured a Dynamic DNS (DDNS) URL as my WAN interface identification for the VPN tunnel. The USG100 supports DDNS service through DynDNS, Dynu, No-IP, and Peanut Hull. The ZyXEL end of the VPN tunnel was on a static public IP address.

To measure VPN throughput, we used Jperf to generate traffic from my LAN to ZyXEL's LAN, and then in reverse from ZyXEL's LAN to my LAN. Prior to measuring VPN throughput, we used a commonly available web site (www.speakeasy.net) to measure our ISP upload and download speeds. This is important, as VPN throughput can't exceed the lower value of the upload speed on the transmit side and the download speed on the receive side.

The first line of Table 1 shows the Jperf throughput measured from my LAN to ZyXEL's LAN. The Tx Speed of 790 Kbps is my upload speed, while the Rx Speed of 308 Kbps is ZyXEL's download speed, thus the maximum possible speed from my LAN to ZyXEL's LAN will be 308 Kbps.

Running Jperf at default settings, we were able to measure throughput from my LAN to ZyXEL's LAN over the VPN at an average speed of 270 Kbps, which is 88% of the maximum possible speed of 308 Kbps.

(Yes, it is unusual to see such a low download speed of only 308 Kbps. ZyXEL has throttled the download speed to their lab for network management purposes.)

Device ISP Speed (Kbps) VPN Throughput (Kbps) % of Maximum Possible Speed

Tx Speed (upload)

Rx Speed (download)

My USG100 790 308 270 88%
ZyXEL Lab USG100 6672 4880 742 15%
Table 1: VPN Performance Test Summary

The second line of the table below shows the Jperf throughput measured from ZyXEL's LAN to my LAN. The Tx Speed of 6672 Kbps is ZyXEL's upload speed, while the Rx Speed of 4880 Kbps is my download speed, thus the maximum possible speed from ZyXEL's LAN to my LAN will be 4880 Kbps.

In this direction, we measured throughput over the VPN connection at an average speed of 742 Kbps, which is just 15% of the maximum connection speed of 4880 Kbps.

Since we're using the public Internet as transport, it is hard say whether the ZyXEL is the limiting factor here or whether it the public Internet. But the measured speeds are lower than one might expect for a business-class UTM.

IPSec Client

IPSec Client VPNs also had some strength and weaknesses. ZyXEL uses the Layer 2 Tunneling Protocol (L2TP) and IPSec technologies for IPSec Client VPN Connections. The strength of this solution is LT2P software is included in Windows XP and Vista, eliminating the hassle of loading and configuring another application. The USG100 will support up to 50 IPSec Clients without any additional licensing fees.

The ZyXEL manual has a useful configuration example on how to set up both the USG100 and the Client PC, which I followed step by step. As with other configurations on the USG100, there were multiple steps, including setting up the VPN Gateway, VPN Connection, multiple Address Objects, a user name and password, and a Policy Route.

I configured my Vista laptop for a L2TP/IPSec VPN Connection by entering the preshared key, user name and password, the IP address of the USG100, and enabling PAP as shown in Figure 13. Note, PAP, or Password Authentication Protocol, is a common technology for authentication, but considered less secure since authentication is passed unencrypted. Once configured, I had no problem connecting to the USG100 from my Vista laptop. 

PAP Configuration

Figure 13: PAP Configuration

The weakness of this solution, as stated in the ZyXEL manual, is the L2TP/IPSec VPN Connection won't work over a NAT, so the Client PC has to have a Public IP address. If the remote clients are using an aircard or have their home PCs directly connected to their ISP, this limitation shouldn't be a problem. If remote clients need access from WIFI connections behind a NAT, common in hotels, libraries, airports, coffee shops, etc., this limitation is a problem.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

had a share problem but figured it out. all better now.wish there was a way to delete this post
Before anyone says "what could you need 10GbE for anyway", I will say that I do not need 10GbE, but I do need more than 1GbE. So, I am looking for opt...
I’m not sure if this is the correct forum so, mods, please move if needed. My situation is that we about to get the NBN FTTN / VDSL2+ via iiNet and I’...
I have always used RDP to remotely connect to an internal machine at my home 192.168.1.3 using OpenVPN remotely, but recently I have not been able to ...
I have an RT-86U and because of various reasons ended up starting to use Merlin on it. Works ok'ish but lately I haven't been able to add anymore DHCP...

Don't Miss These

  • 1
  • 2
  • 3