Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

VPN - more

I used a pretty weak pre-shared key to set up my test tunnel, which, after wresting with an errant setting (more shortly), worked without a problem. I also made an unsuccessful attempt at certificate-based authentication. The failure was likely caused by my being pressed for time and not working my way through all the steps required to successfully exchange certificates between the two routers. The Certificates section (Figure 15) is quite extensive and include tabs for setting up certificates, Trusted CAs (Certificate Authorities), Trusted Remote Hosts and Directory Servers that hold certificate lists.

Zywall 2plus Certificates screen

Figure 15: Certificates screen (click image to enlarge)

Figure 16 shows the screen for creating a certificate.

Zywall 2plus Certificate creation screen

Figure 16: Certificate creation screen (click image to enlarge)

Once you have your authentication configured, you need to set up a Network Policy for the tunnel. The controls for that are shown in Figure 17.

Zywall 2plus VPN Network policy screen

Figure 17: VPN Network policy screen (click image to enlarge)

Once you get the rules entered, the usual fun of trying to get the tunnel up and running starts. My first attempt was thwarted by a firewall rule that I had entered during my throughput testing. As usual the information in the logs was too cryptic to be useful (Figure 18 shows an example of a failed tunnel setup) and it took a Zyxel factory engineer examing my router's configuration dump to get me sorted out. It's interesting to note that a successful tunnel setup gets rewarded with a "Tunnel built successfully" entry in the log, but a failed tunnel attempt doesn't get a corresponding failure message.

Zywall 2plus Log of IPsec tunnel setup failure

Figure 18: Log of IPsec tunnel setup failure (click image to enlarge)

After I cleared the problem rule, I was able to get a tunnel up using a pre-shared key, the VPN "Wizard" and accepting most of the defaults for IKE and IPsec proposals. The SA Monitor screen is where you can see the tunnels that are up and running (would be nice if some sort of indication were provided in the Home page, too). The Global Setting tab holds input and output idle timer settings as well as a gateway domain name update timer and TCP Maximum Segment Size (MSS) controls. The latter defaults to Auto, with Off and User-defined options.

In all, I've had more painful IPsec setup experiences. But as I said at the beginning of this section, the 2 Plus doesn't advance the state of the art in IPsec user friendliness. It should also be noted that Zyxel leaves you on your own to select an IPsec client to use with PCs that need to connect to it securely.

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2