[Leaplist] Openvpn over satellite

tony_l_turner at yahoo.com tony_l_turner at yahoo.com
Wed Sep 24 08:06:29 EDT 2008 

My primary issue with IPSEC is with PEP. Performance Enhancing Proxies in satellite implementations hack apart the TCP 3 way handshake so they can send packets across as UDP (more or less) and they modify the TCP headers spoofing certain infos until the packets reach the other end at the sat provider where they are then "fixed" back to be sent on their merry way to their final destination. With a transport level VPN like IPSEC you can't see the headers and you certainly can't modify them until you reach the other end of the tunnel. Across a connection that might have a RTT as high as 3 seconds,  that's 4.5 seconds for a single 3 way handshake. That's downright ugly. (Usually closer to 700ms but have seen it much higher) On top of this, PEP will send packets in bundles if it can change that header, otherwise its going to sit there sending 1 at a time waiting for confirmation from the other end. My research has shown due to latency issues, regardless of the rated bandwidth, the maximum speeds you will get across an IPSEC tunnel are somewhere in the neighborhood of 500 to 600kbps even though we should be getting 2+Mbps and are paying for that. I believe that by implementing an SSL VPN instead that we will be able to overcome that issue. 

The traffic we will be sending across this link includes normal http and https traffic, Exchange/Outlook, mainframe apps using a web based emulator, as well as a few enterprise database apps that 
include just about every RDBMS you ever heard of. Its not a simple matter of rewriting apps, and given current budget issues unlikely to be even considered. 

I'm hoping to optimize the TCP sessions from firewall to firewall as local LAN issues are fairly nonexistent and I don't want to permanently modify clients that function on standard networks when they get hooked up to our sat trailer. The larger TCP window sizes "should" theoretically increase throughput for a high latency connection like satellite. 

Yes I am a disaster response person but I work in state government. I haven't worked with F4W before but I know who they are. 
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Bryan J. Smith" <b.j.smith at ieee.org>

Date: Tue, 23 Sep 2008 22:47:11 
To: <leaplist at leap-cf.org>
Subject: Re: [Leaplist] Openvpn over satellite


On Wed, 9/24/08, tony_l_turner wrote:
> I'm looking for a good full featured *.nix firewall
> distribution like IPCop, M0n0wall, Pfsense, Smoothwall,
> Untangle etc that does a good job of managing TCP window
> sizes/buffers for high latency connections like satellite
> connectivity. Configuration might be sat2sat or sat2land. I
> need a package that works well with OpenVPN as I need to do
> a point2point SSL VPN to better utilize PEP (IPSEC sucks in
> this regard) 
> While it might be obvious that I have a list of solutions
> already, I either want to find something running on kernel
> 2.6 or newer to take advantage of new TCP congestion control
> features not found in 2.4 and older or find a way to load
> the appropriate module I need to manage high latency
> connections. I do not currently have a budget for this
> project but have a couple of spare Dell P4 boxes I can use
> and a box of network cards. 

I'm kinda curious where you find "IPSec sucks in this regard."

One of the advantages of IPSec is that it is integrated at
the network layer (IP) itself.  Ideally, an implementation,
such as the Linux 2.6, should allow it to be tuned much better
via various commands (ip et al.).  In reality, far too many
IPSec-based VPN implementations do tend to have all the issues
of that layer of interaction, and none of the advantages.

I have no idea how good the IPSec implementations are out
there, how much it integrates with the native Linux 2.6
options and control, etc...  I don't like to deal with
IPSec myself, but I'm not doing what you do.  I do know
that Red Hat spent some money getting OpenSWAN through
the full IPv6 certification process (the only daemon that
is right now?) and have people working on it full time.

When you start looking at OpenVPN, which makes it far more
transparent of an option because it works largely at a
higher layer, you're now talking about a tun device.  So
with most everything else at the higher layer, and little
more than the tun devices, I don't see it being as remotely
tunable for what you want -- at least what is in the Linux
2.6 kernel.  But I just use OpenVPN "as-is" and don't get
into all those details.

Or do you believe you can configure all you need at the tun
device in the 2.6 kernel?  

And yeah, most of the simple, default SOHO/SMB security
"make me an appliance" Linux distro installs still favor
kernel 2.4 for countless reasons.  So you typically have
to start with your own base for 2.6.

I'm really interested in your needs, because it sounds like
an interesting network consideration for high latency
connections**, and what 2.6 gives you.

> Does anyone have experience with this or have any
> resources you could recommend so I could research
> this myself?

Other than analyzing some throughput, latency and
efficiency of real-time TCP-based communication software,
not really.  I haven't tuned much, and all of that was
back on kernel 2.4 anyway -- RHEL 3 with OpenVPN, and that
was non-sanctioned and hacked last second, as needed
immediately, etc... with just some lessons learned later.

> I've been through the previous products FAQs and
> countless Google searches and found good theoretical
> info but very little practical guidance. Thanks in
> advance

In general, when you are concerned about latency in a
real-time app, you compensate in the app itself.  I.e.,
re-write it for a protocol like ... say ... RTP.  If
you need security, you write it to handle it on its own.
This can include using IPSec as it was intended, not as
it often is as a VPN/tunnel.

But it's been a couple of years since I look at all this.
None of it on kernel 2.6, all 2.4, and -- gasp -- Embedded
XP (NT) and CE.

-- Bryan

**P.S.  You're not working for F4W by chance, are you?  ;)
Satellite is the emergency responders' last, but common,
resort to connectivity and I remember hacking an OpenVPN
option for them over an evening.  At least they re-wrote
Tactica to use RTP instead of TCP.

-- 
Bryan J Smith        Professional, Technical Annoyance
b.j.smith at ieee.org  http://www.linkedin.com/in/bjsmith
------------------------------------------------------
I'm a PC, but Linux -- Windows: Life Without Firewalls



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Leaplist mailing list
Leaplist at leap-cf.org
http://lists.leap-cf.org/mailman/listinfo/leaplist

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list