For its anti-spam feature, ZyXEL says "it shares the same database used by Google to protect its customers from malware. ZyXEL's embedded Anti-Spam technology is powered by a large-scale, cloud-based security platform deployed across 12 carrier-grade data centers and multiple worldwide traffic collection nodes, gathering billions of Internet transactions daily to protect over 600 million users".
The ZyXEL Anti-Spam feature tags incoming email so you can use your email client (Outlook or other) to delete or route the tagged emails to a folder. The default tag is "spam", which can be changed. Spam can be detected and tagged through the use of the USG20-VPN's DNSBL, Black and White lists, Mail Scanning and Profile menus. As with Content Filtering, the ZyXEL Configuration Walkthrough in the Anti-Spam menu was helpful to enable the Anti-Spam feature.
The DNSBL (DNS Black List) menu allows you to enable email filtering using an external DNSBL website, choices are listed at www.dnsbl.info, to check whether the sender's source IP address is a known sender of spam. In the below screenshot, I've added b.barracudacentral.org and zombie.dnsbl.sorbs.net as two sites that the USG20-VPN will use to determine if an email is spam.
Black and White lists allow you to manually filter (block or permit) emails sent via SMTP or POP based on keywords in the Subject line or Mail Header, the IPv4 or IPv6 address, or the email address. The Mail Scan tool allows the USG20-VPN to detect tag emails with viruses.
Finally, an Anti-Spam Profile enables you to drop, forward, or forward-with-tag emails that are detected by the DNSBL, Black List, or Mail scanner. In addition, detected spam emails can trigger a log or log alert.
The image below is a nice depiction of the VPN options on the USG20-VPN. The USG20-VPN supports L2TP, SSL, and IPsec VPN connections. L2TP support makes it easy for handheld devices to remotely connect to the USG20-VPN and L2TP can also be used by PCs. SSL support simplifies connectivity for remote PCs, and IPsec provides VPN connectivity for remote clients and routers.
ZyXEL USG20-VPN VPN Capability
To set up an L2TP connection, I used the VPN Setup Wizard which does a pretty good job walking you through most of the L2TP setup. However, the Wizard omits the step to create a user, which is referenced in this help guide. With the Wizard to help me through the VPN setup, and the document's instructions on creating a user and my iPhone, I successfully set up a connection between an iPhone 6s and the USG20-VPN. The USG20-VPN L2TP setup steps and connection status screen are shown in the gallery.
Windows and MacOS also support L2TP connections. I successfully set up an L2TP connection to the USG20-VPN from a Windows 10 PC. On your Windows PC, configure the VPN Connection Properties for L2TP, enter your Pre-Shared-Key in the Advanced Settings and select Allow these protocols with MS-CHAP v2 selected, shown in the screenshot below.
Windows L2TP Setup
The USG20-VPN SSL VPN configuration menu doesn't have a Setup Wizard, but the configuration walkthough contained all the necessary steps. Configuration involves creating a user, a user group, an IP address pool and an SSL access policy. I copied the examples in the walkthrough.
ZyXEL supports SSL VPN connections on the USG20-VPN for MacOS 10.7 and above and Windows PCs with the SecuExtender SSL VPN client. For a Mac, the client is available via the download link in the SSL configuration menu. For a PC, you're prompted to download and install the client the first time you attempt to connect via an SSL VPN tunnel to the USG20-VPN.
The only challenge I had connecting my Windows 8.1 PC was I had to run Internet Explorer in Administrator mode to successfully install the client and connect to the USG20-VPN. Below is a screenshot showing a live SSL connection from my Windows 8.1 PC to the USG20-VPN.
SSL VPN Connection
Although SecuExtender works, I prefer OpenVPN for SSL connections. OpenVPN is supported by multiple router manufacturers (ASUS, Linksys, and NETGEAR to name a few) and has client software for PCs and handhelds. If you connect to multiple different routers, it is helpful to use just one client. I've found multiple VPN client software applications can cause conflicts on a PC.
The USG20-VPN supports Client-to-Site IPsec VPN and Site-to-Site IPsec VPN connections. I was able to configure and connect a Client-to-Site IPsec tunnel, but I couldn't pass traffic over the tunnel. I worked with ZyXEL engineering, but we couldn't resolve the issue. It's too bad the Client-to-Site IPsec tunnel didn't work, because the configuration steps on the TheGreenBow client software and on the USG20-VPN were easier than on previous USG routers. However, I don't consider the lack of a Client-to-Site IPsec solution a major issue, as I prefer L2TP and SSL connections for their simplicity. We'll post an update when ZyXEL lets us know it has fixed the problem.
After troubleshooting with ZyXEL, we determined the issue with the IPSec Client was that my client PC was on the same subnet as the USG-VPN's WAN interface, which is my usual test scenario. Until now, I've never had a problem testing VPN clients from the same subnet as the router's WAN interface. For example, the ZyXEL SSL VPN client worked on the same subnet as the USG20-VPN's WAN interface.
Apparently, the latest version of the GreenBow client software requires the IPSec client is on a different subnet than the WAN interface. So, I put my PC on a different subnet, and sure enough, the tunnel came up and I could pass traffic over the tunnel.
As mentioned in my review of the USG20-VPN, ZyXEL made it easy to configure the IPSec client on both the USG20-VPN and the client software. ZyXEL sent me a step-by-step document on how to configure an IPSec client on the USG20-VPN and client software, which they said they'd post on their website soon. In the meantime, you can download it here.
The USG20-VPN also supports Site-to-Site IPsec VPN connections. I had no problem manually configuring an IPsec VPN tunnel from the USG20-VPN to a Linksys LRT224, using 3DES encryption and SHA-1 authentication. The tunnel connected as expected and I was able to pass traffic between both routers.
To measure VPN throughput on the USG20-VPN, I used two PCs running 64-bit Windows with their software firewall disabled. Using TotuSoft's LAN Speed Test client and server application, with a file size of 100 MB, I measured throughput over an L2TP, SSL, and IPsec tunnel. Below are my VPN throughput measurements for the USG20-VPN and the previously reviewed USG40.
|Client > Gateway (Mbps)|
|IPsec Site to Site||54.98 [Note 1]||49.5||N/A|
|Gateway > Client (Mbps)|
|IPsec Site to Site||52.61 [Note 1]||53.8||27.9|
Table 2: VPN Performance
VPN throughput on the new USG20-VPN is faster than the 2014 USG40, and significantly faster than the 2011 USG20. I measured peak L2TP throughput at 59.07 Mbps on the USG20-VPN compared to 56.0 Mbps on the 2014 USG40. The 2011 USG20 didn't support L2TP. I measured peak SSL throughput at 24.09 Mbps on the USG20-VPN compared to 19.7 Mbps on the 2014 USG40 and 4.79 Mbps on the 2011 USG20. I measured peak IPsec throughput at 54.98 Mbps on the USG20-VPN compared to 53.8 Mbps on the 2014 USG40 and 27.9 Mbps on the 2011 USG20.
Note 1: I used Linksys' LRT224 to measure IPsec throughput with the USG20-VPN. The USG20-VPN is rated by ZyXEL at 90 Mbps for IPsec throughput and the LRT224 is rated by Linksys at 110 Mbps for IPsec throughput.
Note 2: Router manufacturers typically use a UDP based test to rate throughput on their devices. The TotuSoft test uses TCP. UDP has a lower overhead than TCP, so manufacture VPN ratings are typically higher than my measurements.
VPN High Availability can be configured on the USG20-VPN if you have multiple WAN interfaces. This configuration is complex. ZyXEL has a configuration guide in section 6 of this document. It involves configuring GRE (Generic Route Encapsulation) tunnels via both WAN interfaces, configuring load balancing over the GRE tunnels, configuring IPsec tunnels and routing the GRE tunnels through the IPsec tunnels, and then routing local traffic through GRE. (I told you it was complex.)