Draytek Vigor 2900g Broadband Security Router Reviewed



VPN

The 2900G's is the first product I've tested that includes a VPN endpoint handles PPTP, IPsec and L2TP tunnels for LAN to LAN, remote client to LAN and wireless client to WAN. You can specify up to 32 LAN-LAN tunnels and 32 more remote-LAN tunnels. (Note the remote-LAN tunnels are used for connections from both WAN and wireless "remote" clients.)

Though the Sonicwall TZW [reviewed here] provides similar functions for IPsec tunnels only, it's priced at about three times the cost of the 2900G and limits the number of tunnels and users.

VPN setup is tricky even when you know what you're doing, and worse if you're a newbie. While DrayTek provides more documentation help with VPN setup (and here) than many other vendors, you still may find yourself pulling at your hair. Since I had only one 2900G, I focused on checking out Remote client-to-LAN features (Figure 11).

Vigor 2900G - Remote User VPN setup

Figure 11: Remote User VPN setup

The simplest type of remote-to-LAN VPN to set up for Windows users is a PPTP link, since it has been championed by Microsoft and included in every Windows version since Win98. If you're using WinXP you can use the Network New Connection Wizard (Start > Settings > Network Connections) to get set up.

I found that the default settings in the connection set up by XP's Wizard worked just fine with the PPTP defaults in the 2900G. Though Figure 11 shows that I specified the IP address of my "remote" client, you can do that only if you want improved security and know the IP address of connecting clients.

Most of the settings in Figure 11 come into play when using IPsec-based clients. On the router side you can enter a pre-shared key for IKE-based authentication and choose from DES, 3DES and AES encryption levels. Client side configuration is more involved, unless you're using a VPN client application, which DrayTek doesn't provide.

What they do provide on their CD (and also in a Router Tools download) is a little Smart VPN client application. This isn't actually a VPN client, but a helper application that sets up WinXP and 2000's notoriously-difficult-to-configure built-in IPsec client. The little app even will install a Registry key required by Win2000 in order to allow IPsec connections using pre-shared keys.

Tip TIP: If you want to learn how to configure the WinXP built-in IPsec client manually see our Problem Solver.

I tried setting up an IPsec tunnel using this little client and had partial success. I was able to establish the tunnel just fine, but couldn't get traffic flowing through it. I even tried manually adding a static route to the 2900G's WAN IP address for the remote subnet's (192.168.1.X) traffic, but still couldn't get traffic to flow.

I had even less success getting an L2TP or L2TP / IPsec connection to work. But I confess that I know nothing about wrestling that flavor of VPN into submission, so can't really attest to the 2900G's capabilities in that area.

As I indicated earlier, I didn't try setting up a LAN-to-LAN VPN either, but Figures 12 and 13 give you an idea of the available knobs that you can twiddle. My experience with other products is that you'll be able to get a LAN-to-LAN tunnel working if you use two of the same product (or at least products from the same product line).

Figure 12: LAN-LAN VPN setup - common and dial-out settings.

Interoperability with another vendor's product can be a fruitless exercise, however, unless you're very knowledgeable in the ways of VPNs and have access to good (and patient) support folks for both vendors' products - unfortunately rare in the world of consumer networking products.

Figure 13: LAN-LAN VPN setup - dial-in and TCP/IP settings

Something that definitely helps when trying to get a tunnel set up is access to good setup log data. The 2900G actually does produce some useful VPN setup log information, but none of it is available via the router's web interface (more on this later).

As far as VPN tunnel performance, I was pleasantly surprised. I used Qcheck to run a quick PPTP throughput check and found I had a nice steady 10Mbps from WinXP client, through the tunnel, to a LAN-side client. Note that this was measured without any other traffic running through the router, but it's still damned impressive!