[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN to firewall behind NAT
A side question. On WAN with long delay (high ping time), even if the link has a high bandwith, all UDP based application i used sucked because they all waited a return UDP packet to acknoledge the UDP packet just sent. None did use a "sliding windows" like TCP does so TCP can have many unacknoledged packets in transit so on the same link in TCP i was limited by the bandwith of the link not the PING time. Does UDP encapsulation has this low performance penality or does it can have more than 1 packet in transit in a direction at any moment ? In one particular case i upgraded a 256Kbits virtual "Partial T1 link" to a full 1.54Mbits virtual "T1 Link". The transporter sold those as T1 or Partial T1 but they where using a mix of T1, ATM, Router and Tunnel to implement it so the ping time was long and about the same from 256Kbits to 1.54Mbits upgrade. The result an angry client which paid $$$ more and saw only a 10% increase in thruput as the application was constructed of full of small SQL request with varing size result set. When we switched to the next version of the SQL it added TCP support so we switched from UDP to TCP and got a 60% increase in thruput ! Very interested party because i work on a projet and the answer can influence the way i set it up (Can use UDP encapsulation or NOT) At 17:51 2001-12-17 -0500, Paul Cardon wrote: >Nico De Ranter wrote: > > > >> quick question: is it possible to set up a VPN using Checkpoint >> VPN-1 NG (FP1) with a firewall that is behind a router doing NAT? >> i.o.w: >> >> fw (e.g. 1.2.3.4) <--> (e.g. 5.6.7.8) NAT router (e.g. 10.0.0.1) <--> fw (e.g. 10.0.0.2) >> >> Is this possible using IKE and IPsec? I vaguely remember IPsec uses >> the ip-address of the firewall for some hashing so this will >> probably get messed up when using NAT right? > > > >It is possible as long as both VPN endpoints support UDP encapsulation >of the IPSEC traffic. > >-paul > >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >If you have any questions on how to change your >subscription options, email Ron Alcatraz at: >[email protected] >================================================= > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|