VPN - more
I used a pretty weak pre-shared key to set up my test tunnel, which, after wresting with an errant setting (more shortly), worked without a problem. I also made an unsuccessful attempt at certificate-based authentication. The failure was likely caused by my being pressed for time and not working my way through all the steps required to successfully exchange certificates between the two routers. The Certificates section (Figure 15) is quite extensive and include tabs for setting up certificates, Trusted CAs (Certificate Authorities), Trusted Remote Hosts and Directory Servers that hold certificate lists.
Figure 15: Certificates screen (click image to enlarge)
Figure 16 shows the screen for creating a certificate.
Figure 16: Certificate creation screen (click image to enlarge)
Once you have your authentication configured, you need to set up a Network Policy for the tunnel. The controls for that are shown in Figure 17.
Figure 17: VPN Network policy screen (click image to enlarge)
Once you get the rules entered, the usual fun of trying to get the tunnel up and running starts. My first attempt was thwarted by a firewall rule that I had entered during my throughput testing. As usual the information in the logs was too cryptic to be useful (Figure 18 shows an example of a failed tunnel setup) and it took a Zyxel factory engineer examing my router's configuration dump to get me sorted out. It's interesting to note that a successful tunnel setup gets rewarded with a "Tunnel built successfully" entry in the log, but a failed tunnel attempt doesn't get a corresponding failure message.
Figure 18: Log of IPsec tunnel setup failure (click image to enlarge)
After I cleared the problem rule, I was able to get a tunnel up using a pre-shared key, the VPN "Wizard" and accepting most of the defaults for IKE and IPsec proposals. The SA Monitor screen is where you can see the tunnels that are up and running (would be nice if some sort of indication were provided in the Home page, too). The Global Setting tab holds input and output idle timer settings as well as a gateway domain name update timer and TCP Maximum Segment Size (MSS) controls. The latter defaults to Auto, with Off and User-defined options.
In all, I've had more painful IPsec setup experiences. But as I said at the beginning of this section, the 2 Plus doesn't advance the state of the art in IPsec user friendliness. It should also be noted that Zyxel leaves you on your own to select an IPsec client to use with PCs that need to connect to it securely.