9. VPN Features
One of the SL1000's saving graces - and probably the feature that will be the most attractive to prospective buyers - is its phenomenal VPN performance. I'll get to how phenomenal shortly, but first let's look at the tunnel setup options.
The SL1000 can handle twenty five site-to-site or Remote user access IPsec tunnels. Figure 12 shows the setup options when using a Preshared Key, while Figure 13 shows how the screen changes if you want to use manual keying.
Figure 12: Example VPN Site-to-Site setup
(click on the image for a full-sized view)
Figure 13: Tunnel setup with Manual keying
(click on the image for a full-sized view)
Instead of giving you separate "radio buttons" to set IKE and IPsec parameters, you get drop downs of pre-made combinations. As far as I can tell, all the combinations you'd want are present, but given the abbreviations and terminology used, you might have a hard time finding the ones you need.
For pre-shared key IKE proposals, you get combinations of DES and 3DES encryption, SHA-1 and MD5 authentication and Diffie-Hellman Groups 1, 2 and 5. IPsec proposal groupings include combinations of none, DES and 3DES encryption, none, SHA-1 and MD5 authentication and AH and ESP encapsulation.
There are a few other settings such as the Chained Authentication Header and Xauth (Hidden away in the Aggressive IKE Proposal settings) options that I don't see very often and the Perfect Forward Secrecy (PFS) that I do. One switch I don't see is the ability to enable the chatty NetBIOS broadcasts to enable Windows network browsing (Network Neighborhood / My Network Places). So you'll have to know the IP address of your desired shares or configure Inbound and Outbound ACLs to pass the NetBIOS ports (TCP and UDP Ports 135, 137-139, and 445). Note also that certificate-based authentication is also not supported.
While I'm on the subject of ACLs and IPsec tunnels, I'll make you aware of an SL1000 usability issue that I've previously not encountered in any other SOHO VPN endpoint routers. Since it cost me so much time in getting a tunnel up and running, I thought I'd pass it along:
Once you get an IPsec tunnel successfully established, you also need to configure inbound and outbound ACLs in order to allow traffic to flow through the tunnel.
Once again, something that should be easy is made difficult.
As I mentioned above, the SL1000 can handle site-to-site (router to router) and Remote Access (single client) tunnels. But choosing the Remote Access method brings up a User Group selector and also requires configuring the VPN Virtual IP under the Remote Access menu. Quite frankly, folks, this all made my head hurt and I never was able to get a tunnel working via the Remote Access option.
This doesn't mean that you can't have road warriors securely connecting into your LAN via the SL1000. You'll just have to use site-to-site mode and a VPN client application. I had an old version of SSH's now-departed Sentinel client, which I used to get a tunnel up and running from my WinXP notebook pretty quickly.
TIP: In the past, VPN clients have had rip-off level pricing. But NETGEAR's VPN01L (single license) or VPN05L (5 licenses) - essentially a retail version of the SafeNet IPsec client - provide a resonably-priced (about $40) option.
You can try to use WinXP / 2000's built-in IPsec client if you're patient - I was able to get it to work, but I've had a lot of practice - but only if you can deal with static IP addresses at both ends of the connection - rare with connections from folks on the go.
TIP: If you want to learn how to configure the WinXP built-in IPsec client manually see our Problem Solver.
Finding out what's going wrong with the mating dance between IPsec client and gateway requires good logging of the whole VPN setup process. Unfortunately, the SL1000 isn't very helpful in this regard. You can try using its built-in log page, but I recommend a syslog daemon instead. With either of these methods, however, the log data is in pretty raw format, which makes it hard to tell what's happening.
Finally, if you can't, or don't want to, use the SL1000's IPsec endpoints, you can instead use VPN pass through with IPsec, PPTP or L2TP client applications. And if you want to substitute a different IPsec server for the SL1000's, you can configure an Inbound ACL for it, but not for PPTP or L2TP gateways.