Some background about Satellite communications...
Satellite communications have inherit limitations in regards to round trip time (RTT) due to the distance packets travel in order to get from source to destination (i.e. propagation delay). RTT of Satellite links are typically above the 500ms mark. Consider what this delay does to network communications. UDP will suffer the RTT delay associated with opening the connection (i.e. handshake) with a back-n-forth of 500ms required for each part of the handshake but after that the performance across these high-RTT links may not be so bad. Once the stream is opened data will quite happily flow until its finished as UDP doesn't care if bits are lost along the way it just sends one after another until its sent everything (i.e. connectionless).
On the other hand consider TCP. It also has to establish a handshake and will require the 500ms delay for each back-n-forth of the setup. However, once the handshake is completed the data stream, compared to UDP, behaves nothing like the UDP stream! It chugs!
TCP is a connection orientated protocol and it will only send the next chunk of data once the last chunk it has sent has been acknowledged and received successfully. Over short-RTT links this isn't such a big deal, we lose a packet and we simply kick it off again and wait for the other end to acknowledge. In standard networks, because the RTT is low, the penalty for doing this is negligible... and life goes on. Over satellite links the delay associated with a lost chunk of data in a TCP stream is very detrimental due to the 500ms per-direction back-n-forth required to restart the chunk that was lost.
To get around the inherit limitations of TCP over Satellite (and make it workable), network boffins came up with some fancy optimization. Satellite providers these days typically provide some sort of TCP/UDP header optimization for their services that buffers packets and tricks the PCs at either end of the Satellite into thinking the network is more responsive than it is or that data can be sent quicker than what the typical RTT back-n-forth would dictate under normal circumstances. This works great provided the optimization technology supports the protocols you're using.... (*ominous fore-shadowing*).
Now what about VPNs? Typical IPSEC VPNs over Satellite behave pretty similar to the vanilla TCP situation described above (i.e poorly) except (you guessed it) the Satellite modems can't optimize the TCP/UDP packet headers tunnels across the VPN. This is because the TCP packet headers are encapsulated and encrypted inside ESP packets (i.e. the modem can't see it's TCP or optimize it). Similar is true for IP Tunnels (i.e. using GRE)!
Overall this results in a lot of frustration and stock-standard VPNs connecting without issue but not forwarding traffic at speeds that non-VPN traffic operates at.
How to configuring VPNs over Satellite links in a way that can be optimized...
So in the wall of text above, we noted that UDP is connectionless, that satellite modems do some form of spoofing to trick TCP/UDP into working fast despite the poor RTT and that VPNs hide the underling TCP/UDP from the modems preventing this optimization! Phew!
A standard VPN uses ESP packets for the tunnel... what if we made it use UDP as the transport instead? On a Cisco router this would be configured using the following (note this is default in newer software)
crypto isakmp nat-traversal 20The above command points to the fact that NAT traversal suffers from the similar issues.
Hope it helps someone!