Site-to-Site VPN over satellite?

[jlazzaro]

We have a remote site, VERY remote site. No T1 avaliability, no cable/dsl, no cellular service (wireless broadband is out). The only avaliable solution outside dial-up (which they are running now), is Satellite.

Satellite advertised speeds are about 1.5 Mbps down / 200Kbps up. Exactly how much overhead between the 3DES, IKE negotiation, etc is this going to cause?

I'm afraid of implementing a solution like this with no way to really test...i'd hate for after everything is said and done for them to not be any better off vs dialup (taking into account the large satellite setup/monthly costs). Any input is appreciated.

 

[spidey07]

40 bytes for the GRE encapsulation I think for the tunnel traffic, normally not signficiant.

For better performance with that latency set the MTU of the tunnel to be 1460. I don't remember what the MTU is for satellite but you should find out, subtract 40 and set the tunnel to that.

eitherway, try to avoid fragmentation.

 

[cmetz]

jlazzaro, IPsec ESP SHA1 3DES/AES adds about 28 bytes if memory serves, plus another 20 byte IP header.

Satellite has very high latency, and that's what hurts you. Bad. Many satellite services use devices on either end that game TCP and/or HTTP in certain ways in order to try to "accelerate" things - this helps performance noticeably. With IPsec, you will defeat that. So VPNs over satellite feel the full pain associated with the latency, and it ain't pretty.

 

[spidey07]

cmetz,

what is the latancy running? I thought it was around 1000 ms. don't recall if that is round trip or one way.

 

[cmetz]

spidey07, it depends on which provider you have, which bird, and where you are. LEO birds are much better than the alternatives. Also, some providers (esp. consumer oriented ones) have some birds that are heavily loaded, leading to latency and packet loss. Latency on the order of 500-1000ms is typical.

Incidentally, a good TCP makes a big difference on a satcom link. SACK and FACK are your friends.

The biggest problem I have with satcom is when somebody gets it and it seems to work okay for web pages, but then they try their VPN over it and it's truly painful. So the user says -- it must be the VPN's fault.