Problem solve Get help with specific problems with your technologies, process and projects.

Is it advisable to add a network that is in another country and two hops away to my VPN?

I have a VPN connection between two offices in one country. I need to add another network to the VPN, but this network is in another country and is two hop satellites away. Is it even advisable to connect this other network to my VPN and how fast and efficient will it be, considering that it's two hop satellites away from my service provider's satellite?
In theory, any network that has Internet access should be able to use a VPN tunnel to reach your network's VPN gateway over the Internet. In practice, network connectivity impacts performance, and poor performance can make for bad user experience. In other words, even if something is technically feasible, it may not be that usable.

Satellite links are not necessarily slower than terrestrial links. In fact, traffic relayed through the public Internet can take so many hops through over-used routers and congested terrestrial links that a two-hop satellite link can deliver higher throughput. You need to look at actual numbers to determine whether this service can meet your needs for throughput and latency. Compare the metrics of your satellite service to your experience with cleartext relayed between your two VPN sites, paying particular attention to latency (propagation delay). If cleartext performance is unacceptable, then there's no point in worrying about VPN performance.

If cleartext performance is reasonable, consider performance for the kind of VPN you are using. Encrypted traffic can impact the satellite provider's ability to manage TCP performance to offset propagation delay. Providers often use techniques like spoofed acknowledgements to trick TCP into using the full capacity of the satellite link, even though latency is higher than on terrestrial links. Because network-layer VPNs like IPsec obscure TCP headers, providers can't play those tricks on IPsec traffic. Transport-layer VPNs (like SSL) don't suffer from this problem. You may want to ask your service provider if they offer VPN services -- for example, a hybrid VPN service that ties an IPsec tunnel over the Internet to a proprietary tunnel over the satellite hop. To learn more about this problem and two vendor solutions, read these papers: Your VPN solution over satellite and VPN over satellite.

This was last published in August 2004

Dig Deeper on Network Infrastructure

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.