Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

VPN over satellite

 

 

NANOG users RSS feed   Index | Next | Previous | View Threaded


rens at autempspourmoi

Apr 30, 2012, 2:42 AM

Post #1 of 9 (1161 views)
Permalink
VPN over satellite

Dear,



Could anybody recommend any hardware that can build a VPN that works well
over satellite connections? (TCP enhancements)

I want to setup a L3 VPN between 2 satellite connections



Even additionally if that hardware would also support WAN bonding even
better because I also have a scenario to connect 2 times 2 satellites to
have more capacity for my L3 VPN



Regards,



Rens


jason.tredup at gmail

Apr 30, 2012, 4:29 AM

Post #2 of 9 (1123 views)
Permalink
Re: VPN over satellite [In reply to]

Why not use a standard Cisco router or Asa for the routing and VPN and put a riverbed steelhead on both ends to do Tcp optimization and compression.

On Apr 30, 2012, at 5:42 AM, "Rens" <rens [at] autempspourmoi> wrote:

> Dear,
>
>
>
> Could anybody recommend any hardware that can build a VPN that works well
> over satellite connections? (TCP enhancements)
>
> I want to setup a L3 VPN between 2 satellite connections
>
>
>
> Even additionally if that hardware would also support WAN bonding even
> better because I also have a scenario to connect 2 times 2 satellites to
> have more capacity for my L3 VPN
>
>
>
> Regards,
>
>
>
> Rens
>
>
>
>
>


rens at autempspourmoi

Apr 30, 2012, 5:06 AM

Post #3 of 9 (1121 views)
Permalink
RE: VPN over satellite [In reply to]

IPSec does not run well over satellite since the TCP headers are also
encrypted

-----Original Message-----
From: Gmail [mailto:jason.tredup [at] gmail]
Sent: maandag 30 april 2012 13:30
To: Rens
Cc: <nanog [at] nanog>
Subject: Re: VPN over satellite

Why not use a standard Cisco router or Asa for the routing and VPN and put a
riverbed steelhead on both ends to do Tcp optimization and compression.

On Apr 30, 2012, at 5:42 AM, "Rens" <rens [at] autempspourmoi> wrote:

> Dear,
>
>
>
> Could anybody recommend any hardware that can build a VPN that works well
> over satellite connections? (TCP enhancements)
>
> I want to setup a L3 VPN between 2 satellite connections
>
>
>
> Even additionally if that hardware would also support WAN bonding even
> better because I also have a scenario to connect 2 times 2 satellites to
> have more capacity for my L3 VPN
>
>
>
> Regards,
>
>
>
> Rens
>
>
>
>
>


denys at visp

Apr 30, 2012, 5:33 AM

Post #4 of 9 (1131 views)
Permalink
RE: VPN over satellite [In reply to]

I did developed my own accelerator in 2006(globax) and have customers
till now, but only for one-way ISP's in CIS region, and partially Europe
(Germany). Sure worked with satellite internet all that years.
But since i am not interested to advertise it here(working only for
ISPs), i will mention possible alternatives:
There was few solutions, most of them was from Tellinet and Mentat.
Tellinet are for Newtec now, and Mentat are for Packeteer(and Packeteer
for Bluecoat). Last time i seen optimization option in Packetshaper from
Bluecoat. Probably worth to visit Newtec, as i see your domain are .be,
and their HQ in Belgium.
Riverbed, i heard about them, but never tried. Most of TDMA VSAT modems
also has embedded accelerators.

Please let me know if you want to know anything else.

On 2012-04-30 15:06, Rens wrote:
> IPSec does not run well over satellite since the TCP headers are also
> encrypted
>
> -----Original Message-----
> From: Gmail [mailto:jason.tredup [at] gmail]
> Sent: maandag 30 april 2012 13:30
> To: Rens
> Cc: <nanog [at] nanog>
> Subject: Re: VPN over satellite
>
> Why not use a standard Cisco router or Asa for the routing and VPN
> and put a
> riverbed steelhead on both ends to do Tcp optimization and
> compression.
>
> On Apr 30, 2012, at 5:42 AM, "Rens" <rens [at] autempspourmoi> wrote:
>
>> Dear,
>>
>>
>>
>> Could anybody recommend any hardware that can build a VPN that works
>> well
>> over satellite connections? (TCP enhancements)
>>
>> I want to setup a L3 VPN between 2 satellite connections
>>
>>
>>
>> Even additionally if that hardware would also support WAN bonding
>> even
>> better because I also have a scenario to connect 2 times 2
>> satellites to
>> have more capacity for my L3 VPN
>>
>>
>>
>> Regards,
>>
>>
>>
>> Rens
>>
>>
>>
>>
>>

---
Network engineer
Denys Fedoryshchenko

Dora Highway - Center Cebaco - 2nd Floor
Beirut, Lebanon
Tel: +961 1 247373
E-Mail: denys [at] visp


paul4004 at gmail

Apr 30, 2012, 7:58 PM

Post #5 of 9 (1112 views)
Permalink
Re: VPN over satellite [In reply to]

Most satellite modems offer built in TCP acceleration options heavily
optimized for VSAT use and an encryption option (proprietary to their
hardware only) which is probably your best bet. You can then use
traditional encryption to your satellite provider (or take Ethernet handoff
at the satellite earth station with co-located equipment, if appropriate).

Otherwise, if this is not adequate you can use any traditional acceleration
solution at the end sites, just check with the vendor for how optimized
they are for your latency scenario.

For various reasons, you're best not bonding. Just obtain a bigger space
segment. It's literally scalable to at least ~35 megabit with ease by
buying the appropriate sized pipe. Otherwise if you must bond I suggest
you consider traditional ip routing mechanisms to do so on a per-flow basis.



On Mon, Apr 30, 2012 at 3:42 AM, Rens <rens [at] autempspourmoi> wrote:

> Dear,
>
>
>
> Could anybody recommend any hardware that can build a VPN that works well
> over satellite connections? (TCP enhancements)
>
> I want to setup a L3 VPN between 2 satellite connections
>
>
>
> Even additionally if that hardware would also support WAN bonding even
> better because I also have a scenario to connect 2 times 2 satellites to
> have more capacity for my L3 VPN
>
>
>
> Regards,
>
>
>
> Rens
>
>
>
>
>
>


eyeronic.design at gmail

Apr 30, 2012, 9:01 PM

Post #6 of 9 (1115 views)
Permalink
Re: VPN over satellite [In reply to]

"You can then use
traditional encryption to your satellite provider (or take Ethernet handoff
at the satellite earth station with co-located equipment, if appropriate)."
True...except for most audit/regulatory purposes, having the traffic
unencrypted in any part of the chain is unacceptable.

"Just obtain a bigger space
segment. It's literally scalable to at least ~35 megabit with ease by
buying the appropriate sized pipe."
True, but you have to make sure you have the right modem. The
majority of modems in VSAT stacks can go up to ~10mbps. You usually
have to shell out quite a bit more money to get a modem capable of
handling larger bandwidths.

"Otherwise, if this is not adequate you can use any traditional acceleration
solution at the end sites, just check with the vendor for how optimized
they are for your latency scenario."
Exactly. Figuring out *what* specifically you want to accelerate is
vital. Virtually any accelerator on the market can handle FTP, HTTP
and other simple protocols. It takes a lot of know-how to properly
accelerate some of the more complex ones.

On Mon, Apr 30, 2012 at 7:58 PM, PC <paul4004 [at] gmail> wrote:
> Most satellite modems offer built in TCP acceleration options heavily
> optimized for VSAT use and an encryption option (proprietary to their
> hardware only) which is probably your best bet.  You can then use
> traditional encryption to your satellite provider (or take Ethernet handoff
> at the satellite earth station with co-located equipment, if appropriate).
>
> Otherwise, if this is not adequate you can use any traditional acceleration
> solution at the end sites, just check with the vendor for how optimized
> they are for your latency scenario.
>
> For various reasons, you're best not bonding.  Just obtain a bigger space
> segment.  It's literally scalable to at least ~35 megabit with ease by
> buying the appropriate sized pipe.  Otherwise if you must bond I suggest
> you consider traditional ip routing mechanisms to do so on a per-flow basis.
>
>
>
> On Mon, Apr 30, 2012 at 3:42 AM, Rens <rens [at] autempspourmoi> wrote:
>
>> Dear,
>>
>>
>>
>> Could anybody recommend any hardware that can build a VPN that works well
>> over satellite connections? (TCP enhancements)
>>
>> I want to setup a L3 VPN between 2 satellite connections
>>
>>
>>
>> Even additionally if that hardware would also support WAN bonding even
>> better because I also have a scenario to connect 2 times 2 satellites to
>> have more capacity for my L3 VPN
>>
>>
>>
>> Regards,
>>
>>
>>
>> Rens
>>
>>
>>
>>
>>
>>



--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0


galu at packetdam

May 1, 2012, 10:44 AM

Post #7 of 9 (1113 views)
Permalink
Re: VPN over satellite [In reply to]

Hi Rens,

I work with one of the leading satellite providers. Depending on the customer type, we deploy a number of solutions (some work better for some, some work better for others). Most off-the-shelf solutions are more or less designed in a client/server manner (the optimizations they employ are usually asymmetrical, as most clients either just push or just pull data).

It sounds like you need an end to end solution that is not optimizing a particular type of data. Riverbed could be one, but I haven't really tested it in a setup resembling yours. Some of our customers use it, but they mostly pull data so I can't really tell if it works for you. You could contact me off-list to let me know who your satellite provider is. If it's the company I work with, perhaps we can bounce some ideas around.

Cheers
Vlad

--
PacketDam: a cost-effective
software solution against DDoS


On Monday, April 30, 2012 at 10:42 AM, Rens wrote:

> Dear,
>
>
> Could anybody recommend any hardware that can build a VPN that works well
> over satellite connections? (TCP enhancements)
>
> I want to setup a L3 VPN between 2 satellite connections
>
>
> Even additionally if that hardware would also support WAN bonding even
> better because I also have a scenario to connect 2 times 2 satellites to
> have more capacity for my L3 VPN
>
>
> Regards,
>
>
> Rens


alvarezp at alvarezp

May 8, 2012, 7:48 PM

Post #8 of 9 (1061 views)
Permalink
Re: VPN over satellite [In reply to]

On Mon, 30 Apr 2012 02:42:27 -0700, Rens <rens [at] autempspourmoi> wrote:

> Could anybody recommend any hardware that can build a VPN that works well
> over satellite connections? (TCP enhancements)

I'd try splitting the solution into two devices: at the lower layer, the
tunneling part, which can be done with any traditional transport-layer VPN
solution; at the higher layer (prior to encryption), the TCP enhancement
part, for which, I'd look for dedicated and specialized multipoint WAN
optimization devices.

> I want to setup a L3 VPN between 2 satellite connections

That's brave! I'd check with the satellite provider if they are able to
forward your frames directly from VSAT to VSAT without going through the
hub, and, if multiple satellites are used, if they can route between
satellites. Most don't. Those two above are NOT easy to do. They will most
probably make your packets "double-hop", so your latency will be about 1.4
seconds.



--
Octavio.


mail at danrl

May 10, 2012, 9:28 AM

Post #9 of 9 (1048 views)
Permalink
Re: VPN over satellite [In reply to]

Hi,

On Mon, 30 Apr 2012 02:42:27 -0700, Rens <rens [at] autempspourmoi> wrote:
> Could anybody recommend any hardware that can build a VPN that works well
> over satellite connections? (TCP enhancements)
Have you asked Genua? www.genua.de
Word on the street says they have a solution, but it may not appear on
their homepage ;)

regards
Dan

--
Dan Luedtke
http://www.danrl.de

NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.