Cisco rates the v3 as capable of supporting up to 50 Site-to-Site IPSec tunnels, 50 Client-to-Site IPSec tunnels and 5 Client-to-Site PPTP tunnels. This is another upgrade from the 2007 RV042, which supported only 30 Site-to-Site tunnels and 10 Client-to-Site tunnels, plus 5 Client-to-Site PPTP tunnels.
According to Cisco's specs, the RV042 can support all these tunnels simultaneously. There is a counter in the VPN status screen that shows the number of tunnels used and available. With both a Site-to-Site and Client-to-Site tunnel active, the counter showed 1 tunnel used and 49 tunnels available, indicating that Client-to-Site tunnels don't count against the total number of supported Site-to-Site tunnels.
I set up all three connection types and verified they can be run simultaneously. As you can see in Figure 6, the top connection is an active Site-to-Site tunnel and the bottom connection is an active Client-to-Site tunnel.
Figure 6: Simultaneous client and site-to-site tunnels
In addition, I was able to run a PPTP tunnel at the same time as the Site-to-Site and Client-to-Site tunnels. PPTP tunnel status is displayed in the RV042 menu separately, shown in Figure 7.
Figure 7: PPTP status
Setting up a Site-to-Site tunnel was simple. I used a NETGEAR SRX5308 [reviewed] as the other end of the Site-to-Site tunnel. I configured both ends with 3DES encryption, SHA-1 authentication, Diffie Hellman Group 2 (1024 bit) key exchange, and Perfect Forward Secrecy (PFS) enabled. The RV042 also supports DES and AES-128, AES-192, and AES-256 encryption, as well as MD5 authentication.
Client-to-Site IPSec VPN tunnels are supported via Cisco's QuickVPN Client, which you can download here. I used the latest version, 220.127.116.11. The RV042 manual also states you can use third-party VPN client software such as TheGreenBow.
Setting up a QuickVPN tunnel is a matter of adding a user name and password in the RV042 and installing the software on your PC. Cisco's QuickVPN software actually runs on top of the IPSec software built into Microsoft Windows.
I had some inconsistent performance with the QuickVPN client with my Windows 7 PC. I had a couple instances where the client would time out without connecting. Cisco's release notes for QuickVPN version 18.104.22.168 here provide some useful information. For Windows Vista and 7, you must have the Windows Firewall enabled for the QuickVPN client to work. Further, QuickVPN must be run with administrative rights. I found that disabling the Windows Firewall resulted in consistent failure of the QuickVPN client.
PPTP tunnels are one of the easiest of all remote access tunnels, a feature I noted on the 2007 RV042 and am glad to see is retained on the 2011 RV042. Enabling PPTP on the RV042 is a matter of clicking a check box to enable the PPTP server and adding user names and passwords.
No software needs to be downloaded or installed on Windows PC for a PPTP tunnel. From the Windows Network and Sharing Center, select Setup a New Connection or Network, then select Connect to a Workplace, enter the RV042's WAN IP or Dynamic DNS name and the user name and password you created on the RV042, and you're good to go.
Cisco rates the RV042 as capable of 59 Mpbs for IPSec VPN throughput. I used the Cisco QuickVPN Client to measure IPSec VPN throughput.
I tested the RV042's VPN throughput with iperf using default TCP settings, a TCP window size of 8KB, and no other options. I ran iperf on two PCs running 64-bit Windows 7. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC.)
As you can see in Table 1, the RV042 didn't measure up to its rated 59 Mbps throughput on any of my tunnels. But, relatively speaking, the RV042 made a decent showing for itself, nearly matching the recently reviewed Cisco RV220W, which didn't measure up to its 90 Mbps for IPSec VPN throughput, either.
|RV042 v3||RV042 v1||RV220W|
|PPTP WAN > LAN||10.8||-||16.3|
|PPTP LAN > WAN||9.7||-||14.1|
|IPsec WAN > LAN||37.1||21.9||38.3|
|IPsec LAN > WAN||47.5||32.6||49.3|
Table 1: VPN throughput (Mbps)
You can also see that the v3 is significantly faster than the original (v1) RV042. WAN-LAN throughput has improved a bit more than 70%, while LAN-WAN throughput is improved by 46%.
The RV042 has two WAN ports, with the second WAN port useful for connecting to a second ISP or serving as a DMZ port.
The default for WAN2 is as a second ISP connection. The RV042 provides two options for managing dual ISP connections, Load Balancing (default) and Smart Link Backup.
The Load Balancing option allows you to use both ISP connections simultaneously and manage traffic flows over the two interfaces. Traffic flows are managed via the bandwidth settings on the RV042.
The bandwidth management feature allows you to define the upload and download bandwidth of each interface. You then have the option to control traffic flows over each interface by protocol type, as well as source and destination IP addresses. Specific traffic types can be bound to a specific interface and then allocated minimum and maximum bandwidths or prioritized as high or low. There are 19 pre-defined traffic types, and you can add custom traffic types as needed.
To test bandwidth management, I first measured my ISP connection via speedtest.net. My download was 11.35 Mbps and upload was 650 kbps as shown in Figure 8.
Figure 8: ISP connection speed
I then set up the bandwidth management rule shown in Figure 9 to limit throughput to a maximum download of 5 Mbps and upload to 200 kbps.
Figure 9: Bandwidth limits
I then re-ran the speed test. As you can see in Figure 910, the RV042 throttled traffic pretty close to my settings, limiting my download speed to 4.8 Mbps and upload speed to 170 kbps.
Figure 10: Speed test w/ bandwidth limits
Smart Link Backup allows you to designate one ISP as primary, the other as backup. This would be a useful setting if you wanted all traffic to go over the primary ISP and only use the secondary ISP in the event of failure.
Failover from primary to backup, and failback from backup to primary was nearly instantaneous. This is an improvement over the 2007 RV042, which lagged on reconnecting to the primary ISP. Packet loss was minimal (one ping in a continuous ping) when I disconnected the primary ISP connection. Upon reconnecting the primary ISP, a traceroute showed all traffic was again routing through the primary ISP connection within seconds.
The WAN2 interface can also be configured as a DMZ port or Transparent Bridge. A DMZ port requires you have multiple public IP addresses from your ISP, which then allows you to place a web server and other public facing devices outside the RV042's firewall. The Transparent Bridge option enables using the DMZ port to connect to another segment of your internal network.