The star of the 2 Plus show, however, is its IPsec VPN capability. But while its throughput lives up to Zyxel's claims, the 2 Plus does not greatly advance the state of the art in terms of ease of VPN setup or usefulness of its documentation. I have to admit, however, that the VPN Wizard was helpful in getting my test router-to-router tunnel set up, mostly because it presented screens containing all the settings that needed to be configured to get a basic tunnel going and had online help that could be popped up for each screen.
But neither the wizard nor the online help may be bullet-proof enough to get an IPsec tunnel virgin through the process on the first try. For example, I couldn't find a warning about one of the most common mistakesthe failure to make sure that the LANs at each end of the tunnel use different subnetsin the wizard, online help, User Guide or Quick Start.
I also found a subtle error that used the tem "remote" instead of "local" in the online help that, if followed, would never get a successful tunnel up. But since I've set up a successful tunnel or two, I was able to get through the wizard and have a working router-to-router tunnelafter, of course, changing the LAN subnet of one of the routers to 192.168.0.X from its default of 192.168.1.X.
The other way to set up a tunnel is to start at the Security > VPN screen and create your Gateway and Network policies from there. Figure 13 shows the rules established by my VPN Wizard session, with the network policy associated with its gateway policy expanded using the "+" icon in the left column. Clicking on the edit icons for each policy brings up its associated edit screen.
Figure 13: VPN Rules IKE screen (click image to enlarge)
Figure 14 shows the Gateway policy edit screen with its extensive options. Of special note are the abilities to enable a redundant remote gateway (the "VPN High Availability (HA)" feature), use a certificate for authentication and the extended authentication options using the built-in authentication database or external RADIUS server. Note also that the gateway policy can handle a dynamic IP address on the local gateway, but the remote must have either a fixed IP address or domain name.