Wireless options on the ISA550W are straightforward. I had no problem connecting to the ISA550W's 2.4 GHz 802.11n wireless network with a Windows 8 laptop and an iPhone.
The ISA550W can operate in 802.11b/g, g/n, b/g/n, or n-only modes. The wireless channel can be set to auto or channel 1-11. Bandwidth can be set to 20 MHz or Auto. Wireless security options include Open, RADIUS, WEP, WPA , WPA/WPA2 and WPA2. WPA and WPA2 support either a shared secret key or enterprise (RADIUS) authentication.
Up to 4 different SSIDs can be broadcast, with each SSID mapped to a different VLAN. Up to 16 MAC addresses can be permitted or denied by SSID. A neat feature is that SSIDs can be enabled and disabled automatically by schedule. Below, I've set the guest SSID to be active from 9 AM to 6 PM daily.
Scheduled SSID enable
Additional wireless options on the ISA550W include support for Wi-Fi Protected Setup (WPS), Rogue AP Detection, and Captive Portal. WPS is a bit unusual to support on a router intended for business, but there it is. Rogue AP Detection on the ISA550W will display detected wireless networks and allow you to simply mark them as authorized. The ISA550W does not restrict unauthorized access points.
The Captive Portal feature redirects wireless users to a web page to enter a user name and password, shown below, forcing them to authenticate before they are allowed to access your network.
Cisco ISA550W Captive Portal
The ISA550W supports multiple VPN options with capacity for up to 25 site-to-site IPsec tunnels, 10 remote access IPsec tunnels, 10 remote access SSL tunnels, plus 10 remote access L2TP tunnels. PPTP tunnels are not supported.
An additional VPN option on the ISA550W is called Teleworker VPN Client. This option simplifies setting up an IPsec tunnel between two Cisco endpoints. In Teleworker VPN Client mode, the ISA550W will act as a VPN client and automatically set up a tunnel to another Cisco device. This would be useful for a remote office lacking the technical ability to configure and support VPN tunnels as this mode eliminates the need to install software on PCs and simplifies configurations on the ISA550W. Using this feature, however, disables traditional IPsec site-to-site and remote access functionality on the ISA550W.
I started by evaluating IPsec site-to-site tunnels. The ISA550W supports all standard IPsec options, including 3DES and AES encryption, as well as MD5 and SHA-1 authentication. Manual configuration of a site-to-site tunnel on the ISA550W is a bit detailed as it involves creating a transform set, an IKE policy, and an IPsec policy selecting your tunnel options.
Cisco simplifies the configuration of IPsec site-to-site tunnels with a wizard that walks you through the options. I used the ISA550W VPN configuration wizard to set up a site-to-site IPsec tunnel between the ISA550W and a NETGEAR SRX5308. I used 3DES encryption and SHA-1 authentication. Below is a screenshot of the ISA550W showing the status of my site-to-site IPsec tunnel.
Cisco ISA550W IPsec status
Site-to-site VPN configurations were relatively easy, but I ran into a few hurdles getting remote VPN tunnels to work. In the end, however, I was able to remotely access the ISA550W via IPsec, SSL, and L2TP tunnels using a Windows 7 Pro PC.
For remote access IPsec tunnels, there is a wizard for configuring the ISA550W, which made the router configs easy. Cisco includes the IPsec client software on a disk that comes with the router. The part that threw me is the remote IPsec wizard has you create a group name and pre-shared key (PSK), plus a user name and password. The trick is to configure the IPsec client software with the group name and PSK, not the user name and password, circled below in the screenshot from the VPN client software.
IPsec Remote tunnel configuration tip
Once I had my confusion sorted out (via a few emails with Cisco) and the configuration correct, the client successfully connected to the ISA550W. Note to Cisco: it would have been nice to get a few screenshots of both the client and router configs in the manual to make this easier. Below is a screenshot showing both my IPsec site-to-site and remote tunnels are up.
IPsec Site-to-Site & Remote tunnels up
The ISA550W also supports remote SSL tunnels and there is a wizard for configuring them. However, software needs to be installed on the PC for remote SSL access. On some VPN routers I've tested, such as the NETGEAR SRX5308, no separate software installation is required for SSL VPN tunnels—it is automatically installed during the connection process.
SSL VPN software is included on the disk that comes with the ISA550W. But for some reason, the software on the disk is in an image file (.iso) file that must be extracted using a utility such as 7-Zip before you can install it. I'm not sure why the software had to be packaged into an image file when the CD has only 90 MB of files on it!
Once I extracted and installed the software, I was again able to remotely connect to the ISA550W, this time via an SSL VPN tunnel. Below is a screenshot of a useful status page, showing the number of active SSL users along with various network statistics.
SSL tunnel Status
Lastly, the ISA550W supports remote access via L2TP tunnels. In this case, there is no wizard for configuring the router, so you have to manually enable the L2TP server and configure firewall rules on the ISA550W to allow access. L2TP software is included in Windows, so thankfully there were no client software challenges. Once L2TP was enabled on the ISA550W and configured on my Windows 7 PC, I was able to remotely connect to the ISA550W via an L2TP VPN tunnel.
I tested the ISA550W's VPN performance with iperf using default TCP settings, with a TCP window size of 8KB and no other options. I ran iperf on two PCs running 64-bit Windows 7 with their software firewall disabled. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c [ip] on the other PC.)
Cisco rates the ISA550W at 75 Mbps for IPsec throughput. (Note, NETGEAR rates the SRX5308 at 180 Mbps for IPsec throughput, thus the SRX5308 shouldn’t limit throughput on the site-to-site tunnel to the ISA550W.) Table 1 shows my VPN throughput measurements over the four tunnel types on the ISA550W.
|Tunnel Type||Client > Gateway||Gateway > Client|
Table 1: VPN Throughput (Mbps)
Notice in Table 1 the IPsec performance numbers at 91.6 Mbps in both directions using the IPsec client, and 67.8 Mbps / 107 Mbps in a site-to-site tunnel with the NETGEAR SRX5308. It is interesting the ISA550W exceeds the Cisco 75 Mbps rating on both client and site-to-site tunnels. In my experience, it is more common for a device to fall short of manufacturer ratings than exceed them.
Table 2 shows a VPN throughput table comparing IPsec client performance on the ISA550W to several VPN routers I've reviewed. Clearly, the ISA550W is head and shoulders above other devices in this table. (Note, you can click on the model number listed in the table to go to the review for each device.)
|Product||Client > Gateway||Gateway > Client|
Table 2: IPsec Throughput (Mbps)
To wrap up my VPN discussion, the ISA550W has numerous VPN connection options and impressive IPsec throughput numbers, the fastest I've tested. If Cisco adds a few configuration examples showing both router and client configuration examples to the manual, the ISA550W's VPN options will be even better.