Philosophycal question...

Jon Carnes jonc at haht.com
Thu Aug 9 16:44:38 EDT 2001 


> How does that work over unreliable networks. My own experiments in that
> (granted, a few years back) was that SSH+PPP doesn't recover from lost
> packets very well, and I would frequently get hung connections and no way
to
> cleanly recover.
>
> Have you run into this, or tried it over questionable connections, like an
> overloaded frame or a spotty cable modem?
>
> Just wondering...
>
I've read all the reports and I agree with their logic.  Theoretically the
system should run out of control exponentially when packets are lost.  In
reality, I've never seen it.

Our worse connection was from our DS3 in the USA to a cable modem in
Australia.  The latency was extremely high, and the connection on the
Australian side was spotty.  Still it all worked and it worked remarkably
well.  The maximum throughput was about 60% of the top throughput for the
Australian end.

The Australian end has grown since then, and they've moved to a much better
connection.  Now we get about 80% of maximum throughput using the exact same
VPN, but a better router and a better ISP at the Australian site.

Currently our worse connection is to a cable modem in one of our remote
offices in California - using DHCP to set their cable modem's internet
address.  Each time the IP changes we loose connectivity but it pops backup
up about 30 seconds after we get a new IP.  Other than that, we get about
60% of the available bandwidth.

In days of olde I used to run a ping across each connection and then reset
any pipe that didn't respond properly.  I haven't done that for the past two
years though and every site is stable.  I think the newer versions of PPP
are better at maintaining connections, and though I have not explored it
fully (it isn't broken, so I don't ask) the newer PPP must have some rather
nice built-in mechanisms for handling tcp across spotty connections.

I have played with running ppp/ssh on some really low bandwidth connections,
and I find that it doesn't work at all for us if the other end is less than
32kb.  The efficiency of the connection increases as the limiting bandwidth
increases.  Anything above 128kb seems to be ideal for us.
This is using P3-350's for the anchor points of the VPN, and with our HQ's
vpn endpoint capped at 3Mb.

Does anyone know what sort of efficiency a similar setup using IPsec and low
encryption would have?


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list