The RV345P supports Generic Route Encapsulation (GRE), Site-to-Site (S2S) IPsec, Client-to-Site (C2S) IPsec, PPTP, L2TP, and SSL tunnels. I started by testing a S2S IPsec VPN tunnel.
When you create an S2S tunnel on the RV345P, you create a profile for your tunnel or use one of the pre-defined profiles labeled as Default, Amazon Web Services, or Microsoft Azure. These pre-defined profiles, if they apply to your desired tunnel, simplify S2S settings by filling in the DH, Encryption, and Authentication and Timer options.
There is a Wizard in the RV345P GUI for setting up S2S tunnels, which worked like a champ. I was easily able to set up and establish a S2S tunnel over a direct Gigabit Ethernet connection with a Linksys LRT224 router using AES-256 encryption and SHA-1 authentication. Below is a screenshot from the RV345P showing my established S2S tunnel to the LRT224.
IPSec VPN Tunnel
For remote access, the RV345P supports C2S IPsec, PPTP, L2TP and SSL VPN connections.
Client to Site (C2S) IPsec tunnels are a bit more challenging to configure then S2S IPsec and the manual lacks detail and configuration examples. I couldn't get a C2S tunnel to come up with trial and error, so asked Cisco for assistance. Cisco provided guidance that worked and they plan to update their instructions as well..
If you're going to use a third-party IPsec client, like ShrewSoft's free IPsec client, you need to enable the third-party client option in the RV345P C2S menu, as well as enter your IPsec key and IPsec client IP address range. The RV345P's default IPsec profile uses AES-128 encryption, SHA-1 authentication, and DH Group 5 for phase 1 and 2 IPsec configurations. You then need to select the same IPsec options, as well as "Mutual PSK+XAuth" for authentication on the ShrewSoft client. Once configured, my C2S connection succeeded, as shown below.
Client to Site VPN
Cisco states the RV345P supports 25 PPTP connections with 100 Mbps total throughput. The instructions in the Cisco manual were a bit vague, but enabling PPTP on the RV345P was pretty straightforward. I enabled the PPTP server and added IP address details for PPTP clients as shown below.
PPTP SetupI had to play around with the PPTP settings on my Windows 10 PC until I got it to work. I ended up selecting PAP authentication after CHAP and MS-CHAP both failed. Below is my Windows 10 configuration that ended up working on the RV345P.
Windows PPTP SetupOnce I tried this setting, I was able to remotely connect to the RV345P, as shown below.
L2TP was more challenging than PPTP. As with C2S IPsec, I had to consult Cisco for assistance. The keys to setting up L2TP on the RV345P are to enable a user group with L2TP permissions and to create an IPsec profile that will work with Windows and Apple products. Cisco recommends the default RV345P IPsec profile using 3DES encryption, SHA-1 authentication and DH Group 2 for phase 1 and phase 2 IPsec configurations.
I tested L2TP to the RV345P from a Windows 10 PC. Below is a screenshot showing the Windows selections. As with PPTP, PAP is the authentication method for L2TP. In the Advanced settings section, you enter the pre-shared key you created on the RV345P.
Windows L2TP Setup
With these settings applied on the RV345P and my Windows 10 PC, I was able to establish an L2TP VPN tunnel to the RV345P as shown below.
To remotely connect to the RV345P via SSL, you need to install the Cisco AnyConnect Secure Mobility Client. The RV345P supports 2 SSL VPN tunnels by default and, with a license (Cisco 1-Year RV Router Anyconnect Server 25 Tunnels, LS-RV-ACS-25-1YR=, $70), can support up to 50 tunnels. You can download the client software from Cisco.com (choose the "Pre-Deployment Package" option for your operating system) and use it during the RV345P trial license period (90 days). After that, you'll need to purchase a license for the number of connections you want to support. A one year AnyConnect Plus license runs $3.99 for one user; $99.75 for 25.
The RV345P's configuration was a matter of enabling the SSL VPN service and entering an IP address range for clients. The only trick on the AnyConnect software is to specify the IP address and port (8443) for the connection. My test RV345P had a WAN IP address of 172.24.7.101, so I used 172.24.7.101:8443 as the target in the AnyConnect software, which resulted in a working SSL connection, shown below.
I used TotuSoft's LAN Speed Test client and server application for VPN throughput testing, using two PCs running 64-bit Windows with their software firewall disabled and 100 MB file size. I measured peak upload and download throughput over each of the VPN tunnels as shown in Table 2. Note that Cisco specs IPsec throughput at 650 Mbps.
|Max Throughput (Mbps)|
Table 2: VPN throughput
PPTP and SSL results were surprising and not in a good way. I went back and retested my two PCs head to head, verifying they were capable of over 800 Mbps directly connected over a LAN. I then retested both VPNs to double-check my results, which were consistent. PPTP throughput on the RV345P was very asymetrical with 147.9 Mbps up and only 2.5 Mbps down. Cisco rates the RV345P capable of 100 Mbps for PPTP throughput.
SSL throughput on the RV345P was slow overall at 7.0 Mbps up and 5.6 Mbps down. This is very disappointing, considering you need to pay extra for the AnyConnect license to achieve such meager throughput.
I also tested IPsec Site-to-Site throughput connecting to a Linksys LRT224, measuring 48.9 Mbps up and 81.2 Mbps down. Given the Client-to-Site results above, the Linksys is obviously the limiting factor in these results.
802.3at Power over Ethernet is supported on eight of the 16 LAN ports (ports 1-4 and 9-12). The RV345P supports up to 30 W per port with a total capacity of 120 W. I connected a PoE capable switch to the RV345P, which powered up right away. As you can see in the screenshot, the RV345P is providing 13 W of power, with 107 W of power available.
Firewall and Security
The Firewall menu on the RV345P is relatively basic, but easy to use. For example, enabling remote access is a simple check box titled "Remote Web Management," a refreshingly simple process compared to more complex routers such as the recently reviewed MikroTik hEX and Ubiquiti EdgeRouter Lite.
Access Rules can be created to to control IPv4 and IPv6 traffic flows to allow or deny traffic based on source and destination interface and IP address, as well as based on daily and hourly schedules. The screenshot shows an RV345P Access Rule configuration.
Cisco states the RV345P supports dynamic web filtering and internet access policies, which can limit Internet surfing to appropriate site categories and eliminate unwanted network traffic. The main Security menu options are Application Control, Web Filtering, and Content Filtering. All three are licensed features, so you'll need to pony up $120 for a year of service if you want to use them beyond the 90 day trial period (order LS-RV34X-SEC-1YR=). This license is in addition to the AnyConnect SSL router and client licenses.
Application Control can be applied with a configuration Wizard or manually. I used the Wizard to block all types of Internet traffic, shown below, to see what it would do.
Each of the above categories have multiple subcategories. For example, in the Shopping category, there is a subcategory for Amazon shopping. Each subcategory can be set to Permit & Log, Permit, Block, or Block & Log. I choose Block & Log on Amazon, which is a subcategory under Business/Investment, and then tried to surf to amazon.com. Before I applied the Application Control policy, I was able to surf to Amazon.com, but once applied, my browser just spun and the page wouldn't come up. Once I removed the filter, I was again able to access amazon.com. I was a bit surprised an error message wasn't presented instead of just blocking the page, though.
Application Control also provides the ability to control Internet access based on device type such as Camera, Computer, Game Console, Media Player, Mobile, and VoIP, as well as based on OSes including Android, Blackberry, Linux, OSX, Windows, and iOS. Further, pre-built schedules can be applied to filter based on Business, Evening and Working hours. You can also create custom schedules. Finally, filters can be applied by specific IP addresses or groups of IP addresses.
Web Filter rules can also be applied by device type, OS, schedules, and IP addresses as with Application Controls. Web Filtering can also be applied to protect end devices against malicious websites as shown in the screenshot. Web Filter rules can also be applied by device type, OS, schedules, and IP addresses as with Application Controls.
To test the RV345Ps Anti-Malware protection, I used the Wicar.org malware test site. First, I left the Web Filter disabled to see what would happen. When I tried to download the test malware with the Google Chrome browser, I got a Google Chrome warning blocking the test malware, meaning the traffic got through the router and was blocked by Chrome. I then created a Web Filtering policy on the RV345P with a setting of high and selected all categories to filter, as shown below.
I then tried to browse to the site and download the test malware. Again, I received a Chrome block message, telling me the traffic got through the RV345P and was again blocked by Chrome. The test left me wondering about the effectiveness of the RV345P's malware protection.
Content Filtering allows for blocking manually-entered domain names. I set up the below simple Content Filtering rule to block access to smallnetbuilder.com, which worked in the same manner as the Application Controls by blocking access, but not presenting an error or warning message.