The VFG is a surprisingly capable VPN router, considering its low price. It supports IPsec and PPTP site-to-site and remote access (client-to-gateway) tunnels. ZyXEL provides a simple wizard for configuring each. All the typical IPsec encryption and authentication options are supported, as shown in the configuration screen below.
Figure 7: VFG6005 IPsec settings
To test IPsec, I set up an IPsec tunnel using 3DES and SHA-1 between the VFG and my standard site-to-site test partner, a NETGEAR SRX5308 high performance VPN router. I used the wizard on both the ZyXEL and NETGEAR to configure the tunnel options, then manually tweaked the ZyXEL options to enable 3DES encryption. Once configured, the tunnel established right away. I also found I was able to simultaneously establish a PPTP tunnel and an IPsec tunnel. Figure 8 shows the established IPsec connection to the NETGEAR.
Figure 8: IPsec tunnel status
Remote client access to the VFG LAN can be achieved through an IPsec or PPTP tunnel, but ZyXEL doesn't provide IPsec client software. So users without IPsec software are left with the PPTP option. I find this solution reasonable, as PPTP is included in Windows 7.
I tested remote client VPN access to the VFG with PPTP using a Window 7 64 bit PC. The VFG also provides a wizard for the PPTP configuration, but I chose to set it up manually, which was quite simple. Configuring the VFG as a server for PPTP requires enabling the server, and adding a user name and password. I also had to disable the VFG's Hardware Accelerator (more on this later.) Figure 9 shows my PPTP server configuration.
Figure 9: PPTP settings
As discussed in previous VPN router reviews, configuring Windows' PPTP client is point and click. Here's the quick setup if you need it:
- From the Network and Sharing Center in the Control Panel, select Set up a new connection or network,
- Select Connect to a workplace
- Select No, create a new connection
- Select Use my Internet connection
- Enter the IP or dynamic DNS name you've assigned to the router
- Select Don't connect now, just set it up so I can connect later
- At the next screen, enter the user name and password you created on the VFG.
These steps will create the new VPN connection on your PC. Once created, right-click on that connection and select Properties. In the security tab, select PPTP. Save your changes, right-click the connection again and click connect.
With the settings above and an enabled PPTP interface on my PC, I had no problems remotely connecting to the VFG. In fact, I tested PPTP connections to the VFG while on a recent business trip and was able to successfully connect to the VFG from an airport as well as from a hotel in Europe.
Note, the VFG doesn't provide a status screen or indicator that there is an active PPTP connection, other than a log message saying PPTP Server: client [192.168.199.110] local [192.168.39.1] connected [OK].
If you look back at Figure 1, you'll see ZyXEL shows an Android or iPhone/iPad connecting to the VFG via a PPTP tunnel. I recently picked up an iPad2 and I didn't even realize it supported VPNs. So I had to try this out. I found it easier to configure PPTP on the iPad than on my Windows PC!
From the iPad's General-Network menu, I added a configuration in the VPN menu under the PPTP tab by keying in the VFG's WAN IP and my PPTP user name and password. When I turned the VPN connection on, I was connected to the VFG within seconds via a PPTP tunnel from my iPad and able to browse the VFG's configuration menus. Notice the VPN icon on the top left of Figure 10, showing an active PPTP VPN connection.
Figure 10: iPad connected via PPTP
The VFG has a menu option for L2TP tunnels, but I'm not sure it is meant to be there. L2TP is not listed in the VFG's product specs, on the product packaging, or in the product data sheet, leading me to believe L2TP may be an unsupported menu option.
I tested L2TP on the VFG anyway and couldn't get it to work, regardless of the configuration options. I did a packet capture on my PC and on the VFG's WAN connection while attempting to set up an L2TP connection and could see the VFG was not even responding to L2TP setup requests, indicating the problem wasn't a setting mismatch.
I tested the VFG's VPN client-to-gateway performance with iperf using default TCP settings, with a TCP window size of 8 KB and no other options. I ran iperf on two PCs running 64-bit Windows 7 with their software firewalls disabled. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC.)
Note, I typically measure IPsec throughput using 3DES encryption. But in this case, I measured both 3DES and AES on the VFG, as ZyXEL lists the VFG as capable of 11 Mbps IPsec throughput with AES encryption. As you can see in Tables 1 and 2, clearly the VFG is optimized for AES encryption over 3DES encryption.
The tables show my VPN throughput measurements over the three tunnel types on the VFG. It also shows my VPN throughput measurements from four other wired VPN routers I've reviewed, the TrendNet TW100, Draytek 2920, NETGEAR FVS318G and the Cisco RV042v3.
|Test Description||Throughput - (Mbps)|
Table 1: VPN Performance comparison - client to gateway
Note that IPsec throughput was not affected by the VFG's hardware accelerator. PPTP throughput was measured with the VFG's hardware accelerator disabled, which is required to enable PPTP. I'll touch on the hardware accelerator more in the features section of this review.
|Test Description||Throughput - (Mbps)|
Table 2: VPN Performance comparison - gateway to client
As you can see from the results, the VFG's AES client-to-gateway throughput of 12.1 Mbps and gateway-to-client throughput of 10.9 Mbps validates ZyXEL's rating of 11 Mbps. This is impressive! Most of the time, manufacturer claims don't match the iperf test results.
Clearly, AES throughput on the VFG is faster than its 3DES throughput of 5.9 Mbps / 5.6 Mbps . Further, AES and 3DES throughput on the VFG are faster than the 3DES throughput numbers of both the TW100 (3.32 Mbps / 2.85 Mbps) and the FVS318G (2.72 Mbps / 2.72 Mbps ). But the VFG is no match for the 3DES throughput of the Draytek 2920 (17.8 Mbps both directions) or the Cisco RV042v3 (37.1 Mbps client-to-gateway and 47.5 Mbps gateway-to-client).
The VFG's PPTP throughput of 10.8 / 6.54 Mbps is pretty close to the TW100's 8.95 / 7.61 Mbps and Cisco's 10.8 / 9.7 Mbps, but well below the Draytek's 19.9 Mbps. The FVS318G does not support PPTP.
To wrap up, ZyXEL lists the VFG as capable of supporting up to 32 IPsec and 16 PPTP tunnels. While I didn't try this many, I had no problem running both flavors simultaneously. Further, I like the fact that AES is faster on the VFG than 3DES because AES is more secure. As long as the other endpoint or your client software supports AES, using AES for IPsec encryption is a good thing.