Jump to content

Recommended Posts

Posted

Looks like it won't be easy to get a VPN going over IPSTAR !!!

By Tim Greene

Network World VPN Newsletter, 07/10/02

For those hard-to-reach VPN sites some people use satellite links, but the performance can be painfully slow.

Unavoidable half-second delays as signals bounce off the satellites can wreak havoc with IP Security because it takes so long for TCP acknowledgement to get back to the sending machine. TCP interprets the satellite delay as network congestion and throttles back its sending rate, meaning the IPSec VPN traffic gets through but at a much slower rate than the link could actually support.

For non-VPN traffic satellite providers get around this problem by spoofing the acknowledgements using devices that are placed between the satellite base station and the customer's sending machine. TCP on the sending machine perceives no congestion and sends at the fastest rate the satellite link can bear.

The problem for VPN traffic stems from the fact that the sending IP address is hidden within another IP header, so the satellite provider cannot spoof an acknowledgement. Only the receiving machine on the other side of the satellite link can unwrap the IPSec packet and send the acknowledgement.

Recently, a company called V-One, which has an application level remote access product called SmartGate, realized its gear could circumvent the satellite delay problem. Because its encryption scheme does not hide the original IP addresses of packets, the satellite service providers can successfully spoof SmartGate traffic. V-One claims SmartGate traffic gets five times the throughput of IPSec VPN traffic over the same satellite link.

V-One says it is in the process of signing up a satellite service provider to co-market V-One gear to its customers, and plans a more formal marketing program called SmartSat.

This V-One satellite architecture is similar to an arrangement sold by satellite service provider Skycasters that it calls Super VPN.

If you are using a satellite link and want to run traffic securely over it, you might try V-One gear or some other application-layer security that would not foul up the spoofing that keeps satellite throughput high.

Posted

Monty,

One of the key things with regard to satellite is fragmentation in addition to delay.

There are two key registry settings that might assist in this regard.

EnablePMTUDiscovery is a good one

Enable PMTUBHDetect doesn't hurt.

Both can be found with a search at http://www.microsoft.com/support

I've been able to run VPN tunnels out of China, outlook and all, by applying these mods.

XP and Windows 2000 are diffent in where these DWORD setting are set.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...