The USG40 has a similar menu structure and GUI to the USG20 and ZyWALL 110. In addition to the GUI, the USG40 can be managed from the command line via Telnet, SSH and direct console connection. A virtual console connection is also accessible via the GUI.
When you log in, you're presented with a useful dashboard that displays Device Information, Security Service and License Status, System Status, System Resource utilization and statistics for Content Filtering, Viruses, Intrusions, and Security Policies. Below is a screenshot of the dashboard.
At the top of the dashboard, you can see virtual images providing a real-time view of the front (shown below) and rear of the device.
Virtual Front Panel
The USG40 uses an object oriented configuration model. Objects are created for interface zones, user management, access points, application control, IPv4 addresses, network services, manageable schedules, authentication servers, authentication methods, certificates, WAN profiles, ISP authentication and SSL applications. Creating an object is a common first step in configuring the USG40. Once an object is created, you apply it in a profile and then attach that profile to a rule to manage network traffic.
For example, to configure an IPsec tunnel, first you create an IPv4 address object matching the subnet of the far end router's LAN. You then use that object in the Policy section of the VPN Connection configuration.
ZyXEL has done a good job organizing the USG40's configuration screens. This is critical, as the device literally has hundred of configuration options. Menus for configuring the USG40 include Licensing, Wireless, Network, Web Authentication, Security Policy, VPN, Bandwidth Management (BWM), UTM Profiles, Objects, System, and Logging/Reporting Options. Within each of these menus are submenus, each with one or more tabs where configurations are entered. ZyXEL further simplified WAN, IPsec and L2TP setup by providing useful step by step configuration wizards.
The 741 page manual for the USG40 provides an overview of configuration options. I've struggled with some of the configuration options on ZyXEL devices in the past, but I've found ZyXEL's growing support library to provide useful configuration examples. Keyword searches on ZyXEL's Support Document site returns a good number of step by step guides.
There are five 10/100/1000 RJ45 Ethernet ports on the USG40 while the USG60 has six. An image of the USG40 port configuration screen is shown below.
The physical ports (P1-P5) can be assigned to a port type (WAN1, LAN1, LAN2, DMZ, and OPT). Each port type can be enabled or disabled, plus ingress/egress bandwidth and MTU can be changed.
One interface is dedicated as the WAN1 interface. Three interfaces can be configured as members of the LAN1, LAN2 or DMZ internal zones. The last interface can be configured as a member of the LAN1, LAN2, DMZ or WAN zone. Thus, the USG40 has the flexibility of being a dual WAN router if you have dual WAN connections. If you don't have dual WAN connections, you can still use the last interface as a member of an internal zone.
In addition to dual WAN connections via Ethernet ports, the USG40 has a single USB port where a 3G / 4G WWAN network connection can be used as a WAN connection. The USG60 has two USB ports. ZyXEL lists support for 151 USB 3G devices here in the download library for the USG40. The USB port on the USG40 can also be used to store the USG40's sys logs and diagnostic information. It can't be used for shared network storage, though.
The USG40 also supports 802.1q VLAN tagging, enabling even greater network segmentation then available with the physical interfaces. VLAN tags can be between 1-4094 and the USG40 can have up to 8 different active VLANs, each with its own DHCP server.
The USG40 supports policy based routing, routing protocols including RIP and OSPF, as well as Static routes. Additional networking options include dynamic DNS from multiple suppliers, configurable network address translations, and VoIP and FTP application layer gateway (ALG).
Wireless networking is supported in two ways by the Performance series devices. As mentioned previously, two models (USG40W and USG60W) have integrated access points. All four models of the Performance series can function as WLAN controllers for specific models of ZyXEL access points.
Out of the box, the Performance series devices can manage two access points, but that can be increased to ten access points with a license upgrade. Supported access points are the ZyXEL NWA3000-N, NWA5000-N, and NWA5120-N series devices. (Specific model numbers are listed on the Wi-Fi compatibility tab on the ZyXEL product page.)
The USG40 supports IPsec, SSL and L2TP VPN connections in much the same manner as the ZyWALL 110. Up to 20 concurrent IPsec tunnels and 12 concurrent SSL tunnels are supported. L2TP tunnels, which use IPsec encryption, count as part of the 20 concurrent IPsec tunnel limit.
I had no problem setting up a site-to-site IPsec VPN tunnel between the USG40 and a ZyWALL 110. Phase 1 and Phase 2 IPsec tunnel options include DES, 3DES, AES128, AES192 and AES256 encryption; plus MD5, SHA1, SHA256, and SHA512 authentication. I set up my tunnel using AES256 encryption and SHA1 authentication.
For IPsec peer authentication, the USG40 supports pre-shared key and certificate authentication. I was able to set up an IPsec tunnel on the USG40 with both methods. Note, IPsec throughput is not affected by the peer authentication method, which I verified in my IPsec throughput tests, which I'll cover shortly.
Pre-shared key authentication is easier to configure, just enter a common key on both IPsec routers. Certificate authentication between two ZyXEL routers isn't much more difficult and is more secure than pre-shared key authentication. Certificate authentication involves clicking the certificate option in the VPN menu instead of the pre-shared key option and exchanging certificates.
Exchanging certificates is done with the export and import options in the Object-Certificate menu. I exported the default self-signed certificate from the USG40, saved it on my PC, then imported it into the ZyWALL 110 as a trusted certificate. Then, I exported the default self-signed certificate from the ZyWALL 110, saved it on my PC, then imported it into the USG40 as a trusted certificate. In the screenshot below from the USG40, you can see the imported certificate from the ZyWALL 110.
Below is a screenshot from the USG40 showing my active IPsec tunnel to the ZyWALL 110 using certificate authentication.
The ZyWALL IPsec VPN Client, which is based on software from Greenbow, provides remote IPsec VPN connectivity. I had a few challenges getting remote IPsec VPN connectivity to work.
There are configuration wizards in the router and client software, but the values don't match and require editing. The router wizard configures Phase 1 with DES, MD5, and DH1 and Phase 2 with DES, SHA-1 and PFS=none. In contrast, the client software wizard configures Phase 1 with 3DES, SHA-1, and DH2 and Phase 2 with 3DES, SHA-1 and PFS=DH2.
I edited the router to match the client software settings for both Phase 1 and Phase 2. Below is a screenshot showing Phase 1 (gateway) settings on the client software.
Phase 1 Config
Further, I found you need to edit the VPN Client address in the client software Phase 2 (tunnel)config screen. The client software wizard configures the VPN Client address = 0.0.0.0. I observed the tunnel passes two-way traffic with 0.0.0.0, but encryption was one-way. Traffic appeared to be encyrpted from the client to the router, but not from the router to the client.
The below screenshot shows the Phase 2 (tunnel) settings on the client software that enabled two-way encryption. Note, the highlighted area where I changed the VPN Client address to 192.168.33.3. You can enter any IP address in this field that doesn't overlap with address ranges or specific addresses already in use on the client or the USG40.
Phase 2 Config
SSL and L2TP VPN connectivity are supported for remote devices. For PCs, I prefer using SSL tunnels for remote access. ZyXEL's SSL VPN solution uses their SecuExtender software which supports Windows 8, 7, Vista, 2003, XP and MacOS 10.7 or later. The SecuExtender software is installed on a Windows PC when you first connect to the USG. You can download SecuExtender for the MAC here.
I followed the same configs on the USG40 that I used on the ZyWALL 110 to setup an SSL connection, so I'll refer you to my ZyWALL 110 review for those steps. Below is a screenshot showing an active SSL VPN connection to the USG40.
For handheld devices, L2TP is a useful remote solution as the L2TP client is built into the iPhone and Android operating systems. However, configuring an L2TP tunnel manually on the USG40 is no picnic. Thankfully, there is an L2TP configuration wizard to set up L2TP on the USG40, which enabled me to get it working with an iPhone and a Windows 8 laptop. Below is a screenshot showing my active L2TP VPN connection to the USG40.
To measure VPN throughput on the USG40, I used two PCs running 64-bit Windows with their software firewall disabled. Using TotuSoft's LAN Speed Test client and server application, with a file size of 100MB, I measured throughput over an IPsec, SSL, and L2TP tunnel. Below are my throughput measurements.
Updated 12/11/14: Throughput column headings have been swapped
|IPsec Client to Site||47.8||52.1|
Table 1: VPN throughput
VPN throughput on the USG40 is significantly improved over the USG20. On the USG20, I measured peak IPsec throughput at 27.9 Mbps and peak SSL throughput at 4.79 Mbps. On the USG40, I measured peak IPsec throughput at 53.8 Mbps and peak SSL throughput at 19.7 Mbps. L2TP throughput on the USG40 maxed at 56 Mbps.
Note 1: IPsec throughput was the same with pre-shared key and certificate authentication. I tried both peer authentication methods in response to a SmallNetBuilder forum question about whether certificate authentication could improve IPsec performance.
Note 2: I used ZyXEL's ZyWALL 110 to measure IPsec throughput with the USG40. The ZyWALL 110 is rated at 300 Mbps IPsec VPN throughput, which is much higher than the USG40's 100 Mbps rating. Thus, the ZyWALL 110 wouldn't be the bottleneck.
Note 3: ZyXEL uses a UDP based test to rate throughput on their devices. The TotuSoft test uses TCP. UDP has a lower overhead than TCP, so ZyXEL's ratings are typically higher than my measurements.