There are three key differences among inexpensive VPN endpoint routers: the VPN standard they support; the throughput when using the VPN tunnel; and the configurability of the tunnel setup and operating features. The 318 is similar to many other inexpensive VPN endpoint routers in that its endpoint supports the IPsec protocol only. Although IPsec is becoming more common in VPNs, this limitation means that you won't be able to use the endpoint feature if the remote VPN gateway that you're trying to connect to uses another VPN protocol such as PPTP, L2TP, or a proprietary protocol. In that case, you'll have to rely on the router's VPN pass-through features, which require that you run the proper VPN client software on each computer that needs a VPN connection.
The second similarity of the 318 to other products is that it does not use a hardware co-processor for the IPsec encryption. This means that the connection speed through the VPN tunnel will be much slower than you'll get with non-VPN connections, and may not be adequate if, for example, you transfer a lot of large files through the VPN tunnel.
Finally, the configurability of the 318's VPN features may be ultimately what determines whether it will work in your VPN setup. If you're using a pair of them to set up an IPsec VPN between two sites, you'll be ok, and NETGEAR will provide support to get your connection working. However, if you're just using one 318 on your home LAN to connect into your company's VPN, or you want to have a VPN connection from one remote computer into your home's LAN, you'd best read the disclaimer that appears a few times in NETGEAR's User Guide:
Note: The FVS318 VPN Firewall uses industry standard VPN protocols. However, due to variations in how manufacturers interpret these standards, many VPN products are not interoperable. NETGEAR provides support for connections between two FVS318 VPN Firewalls, and between an FVS318 VPN Firewall and the SafeNet Secure VPN Client for Windows. Although the FVS318 can interoperate with many other VPN products, it is not possible for NETGEAR to provide specific technical support for every other interconnection.
Although you may not like NETGEAR's restriction, or the fact that the SafeNet client costs $149, I give them points for at least being up front in their position so that buyers can make an informed decision. In poking around on NETGEAR's support site, I found indications that they are working on applications notes that will describe how to set up a VPN connection to some of the more popular VPN products. But right now, there's nothing that you can download... not even instructions on how to connect to the built-in IPsec client in a Win 2000 or XP machine.
I used a subnet-to-subnet configuration with static IPs for the remote gateways, and IKE (automatic) Association mode to set up my test tunnel between two 318s. The setup screen for one router is shown in Figure 4 below. Note that I had to change the base IP address of one of the routers from the factory-default 192.168.0.1 to 192.168.1.1, so that the routers (and I!) wouldn't get confused trying to route between two identically-numbered subnets.
Figure 4: VPN IKE
(click on the image for a full-sized view)
If you need finer control over your tunnel setup, you can choose Manual Association mode, which changes the screen to present the different setup options shown in Figure 5 below. Note that neither mode gives you control over what happens during Phase 1 and 2 of tunnel setup, which might be needed if you're trying to connect to a different manufacturer's gateway. You can't select whether the
I had no trouble getting my test connection established once I finished entering the setup information (which is good, given my frustration with the VPN Status and Log screens that I've already described!). All I had to do was try to access a computer on the "remote" end of the tunnel (the User Guide suggests just pinging the computer on the other end of the tunnel) and the routers established the tunnel automatically. That was good, because although there's a button in the VPN status screen to drop a connection, there's no "connect" button anywhere to be found!
Finding a computer on the remote end, however, was a little bit of a challenge, since the 318 does not support NetBIOS broadcast. This means that remote computers won't appear in Network Neighborhood (or My Network Places) and you'll have to do a little more work to connect to them.
Once I was connected, I used Qcheck to test the performance of the VPN tunnel. Having previously tested the MultiTech RF550VPN, which also does not use an IPsec hardware co-processor, I wasn't surprised at the throughput, which came in about 800kbps. This is about 1/8 the speed that you'll get running a normal, un-encrypted connection. Response time (latency) is a little higher than you normally see in non-VPN routers, but still acceptable. UDP streaming performance, however, shows that the router was having a hard time keeping up with UDP data coming at it at 500kbps, although when I reduced the rate to 100kbps, the error rate dropped to 0%. Performance was pretty much the same in both Local-to-Remote and Remote-to-Local runs for all tests.
IPsec VPN Performance Test Results
|Test Description||Transfer Rate (Mbps)
[1 MByte data size]
|Response Time (msec)
[10 iterations 100 Byte data size]
[10s @ 500kbps]
|Actual throughput (kbps)||Lost data (%)|
|Local to Remote||0.82||8 (avg)
|Remote to Local||0.79||8 (avg)
|Firmware Version||V1.0 Apr 16 2002|