Satellite Internet Forum

[Doug_Triblehorn]

An open forum for users to share their experiences in running IPSec VPN with thin client applications (Citrix, MS Exchange, Oracle, SAP, Network Printing) securely over satellite.

[pgannon]

IPSec and other VPNs such as PPTP that encapsulate the orginal TCP data packets will have performance issues over any satellite unless one of several workarounds is implemented.  IPSec encapsulation of UDP applications (such as VoIP) will not have the same problems.  
 
I don't know if you're looking for a tutorial here, but I'll provide a quick one...  
 
The TCP protocol is a guaranteed delivery protocol.  It sets up a session, sends a little data; stops; waits for an ACKnowledgement from the remote device receiving the data, then transmits more data upon receiving the successful ACK.  With each ACK it sends a bigger payload of data, until it gets a negative acknowledgement indicating that some data was lost. In this manner it learns the link characteristics such as speed and congestion.  You can see this when you do a file transfer or download in the status window.  You'll see it slowly get faster and faster till it reaches a consistent throughput at a maximum rate.  
 
On broadband satellite you have a problem because it takes over 1/2 second for the ACK to get back because of the satellite latency, which is a function of distance traveled and the current limit on the speed of light (grin) of 186,000 miles per second.  As a result, TCP traffic is generally going to max out on a VSAT link at about 70 - 90 Kbps (per TCP session) regardless of how much bandwidth you have.  You can mess with TCP windows, but you can't do a whole lot to change this.
 
Broadband satellite vendors address this limitation by providing TCP Acceleration, Spoofing, Performance Enhancing Proxies (PEP) or other techniques that basically intercept the TCP packet and respond to it locally.  Since the acceleration process knows the link characteristics, it can optimize throughput and take advantage of the full bandwidth available.
 
The problem comes when you wrap the original packet up in a new VPN frame.  This hides the original TCP headers so that they cannot be accelerated.  This puts VPNs back to the original problem.  IPSec VPNs encapsulate the original data in UDP-like frames.  UDP is spray and pray.  There is no guaranteed delivery - and no acceleration technology.  So you are back to the original problem.  The VPN frame has to be transmitted over the satellite link, get unwrapped/decrpyted and then ACK'd back across the link, which means performance limitations as discussed above.
 
Workarounds:
 
1) Put the VPN appliance in the teleport.  With this solution you run your data unencrypted over the VSAT link, but you do encrypt it over the Internet backbone, which we would all agree is the most vulnerable.  Today's VSAT solutions are mostly pretty secure - at least as much as a Frame Relay or leased line circuit.  This option would not be acceptable for financial or government data that requires end-to-end encryption.
 
2) Use SSL-VPNs.  These encyrpt the data, but leave the TCP headers alone, so TCP Acceleration continutes to work.
 
3) Use an appliance such as the Encore Bandit, that provides SLE or selective layer encryption.  Similar to SSL-VPNs, these encrypt the data, but leave the headers alone so TCP Acceleration continues to work
 
4) Use a "pre-acceleration" appliance that sits in between the LAN and the VPN appliance.  iDirect makes one specifically for their solution; Mentat and UDCast are a couple others.  This appliance is required on both the remote and data center ends of the circuit.
 
5) If your VPN is running in software on your PC, such as Checkpoint software, Mentat has a piece of code that provides the pre-acceleration capability on the PC.   This solution has an appliance that sits in the data center and software licenses for the PCs that run the code.  Mentat, by the way, is now part of Packeteer.
 
6) Live with it.  70 - 90 Kbps may be OK for your application - certainly it's fine for email.  However interactive data applications will be sluggish and will be limited in performance.  
 
With regard to MS Exchange and network printing - applications that normally use Microsoft's CIFS (common internet file system), won't work for crap over satellite.  They are even more chatty than TCP and there are no spoofing services that I'm aware of.  The new WAFS (wide area file service) is designed to address this limitation, but I have no personal experience with it.
 
Pat

[Doug_Triblehorn]

Pat - What you describe is exactly what our experience had been as well.   The good news is that my company has developed a VPN/Firewall/Router technology that not only operates at IPSec AES-256, but allows all thin client applications to work LAN-like over satellite.  We have marquee customers  Let me know if you need this problem resolved and I'll be happy have a chat.

[HVYMTL]

I've been putting together a VPN connection over vsat for some time now. To date we have put in a Win2003 SBS with ISA firewall connected to cable ISP. In addition we have a Citrix Presentation SRV ver. 4 running on Win2003 Ent. ed. I'm testing remote connections though vsat.
 I have run std. MS VPN connections on both Direcway 7700 system @512/2mb service and currently testing iDirect on 128/128 service.
 I'm very happy with the performance compared to the old dialup Metaframe 1.8 connection.
 We use it to access the company ERP system. To make it intresting, the legacy ERP system will not run on any client OS past Win2000 on our remote laptops. So I have a Vmware/Win98 virtual machine running in Citrix. We connect though VPN to Citrix, launch VMware/Win98, & launch ERP client. Connection runs equal to dialup and remote printing to a impact printer works fine.
 Of intrest for those who like to compare vsat equipment. The iDirect on 128/128 versus Direcway 512/2mb is very close. If I were to bump the iDirect to 128/256, I think everything would be equal. Looks Like I will be moving to a much higher iDirect service at which point I expect Dway to be left far behind.
 
Tom

[Eric Johnston]

I have found the web site that does the IPSec AES-256 VPN referred to above, that details the VPN Tunnel solution to IPSec VPN over satellite.  There is a good white paper at:
http://www.endiiend.com/whitepapers/Acceleration.pdf
( 2.55 Mbyte pdf file) if you want to read more.
 
I am trying to read up on it and will be preparing a new web page here about how VPN Tunnel can solve the problem of IPSec VPN over satellite.
 
Best regards, Eric.

[HVYMTL]

Eric,
 
 I have spoke with the people at endiiend a year or so back, and was encouraged by their information. I have not tried their service as I was unable to find user accounts about their service and it was expensive for my application. If anyone could comment on the product it would be appreciated.
 
Tom

[VPN-MAN]

Tom,
 
You should probably check back with End II End.  They were featured on the cover of Satellite Business Solutions Magazine this month with a large construction company for whom they have improved productivity using satellite and their product by 300%.  They have a monthly pricing model now, which makes the solution far more affordable (and the initial outlay) much more friendly.