Satellite links are not necessarily slower than terrestrial links. In fact, traffic relayed through the public Internet can take so many hops through over-used routers and congested terrestrial links that a two-hop satellite link can deliver higher throughput. You need to look at actual numbers to determine whether this service can meet your needs for throughput and latency. Compare the metrics of your satellite service to your experience with cleartext relayed between your two VPN sites, paying particular attention to latency (propagation delay). If cleartext performance is unacceptable, then there's no point in worrying about VPN performance.
If cleartext performance is reasonable, consider performance for the kind of VPN you are using. Encrypted traffic can impact the satellite provider's ability to manage TCP performance to offset propagation delay. Providers often use techniques like spoofed acknowledgements to trick TCP into using the full capacity of the satellite link, even though latency is higher than on terrestrial links. Because network-layer VPNs like IPsec obscure TCP headers, providers can't play those tricks on IPsec traffic. Transport-layer VPNs (like SSL) don't suffer from this problem. You may want to ask your service provider if they offer VPN services -- for example, a hybrid VPN service that ties an IPsec tunnel over the Internet to a proprietary tunnel over the satellite hop. To learn more about this problem and two vendor solutions, read these papers: Your VPN solution over satellite and VPN over satellite.
This was first published in August 2004