NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN to firewall behind NAT



A side question. On WAN with long delay (high ping time), even if the link
has a high bandwith, all UDP based application i used sucked because they
all waited a return UDP packet to acknoledge the UDP packet just sent. None
did use a "sliding windows" like TCP does so TCP can have many unacknoledged
packets in transit so on the same link in TCP i was limited by the bandwith
of the link not the PING time. Does UDP encapsulation has this low
performance penality or does it can have more than 1 packet in transit in
a direction at any moment ?

In one particular case i upgraded a 256Kbits virtual "Partial T1 link" to
a full 1.54Mbits virtual "T1 Link". The transporter sold those as T1 or
Partial T1 but they where using a mix of T1, ATM, Router and Tunnel to
implement it so the ping time was long and about the same from 256Kbits to
1.54Mbits upgrade. The result an angry client which paid $$$ more and saw
only a 10% increase in thruput as the application was constructed of full
of small SQL request with varing size result set. When we switched to the
next version of the SQL it added TCP support so we switched from UDP to TCP
and got a 60% increase in thruput !

Very interested party because i work on a projet and the answer can influence
the way i set it up (Can use UDP encapsulation or NOT)

At 17:51 2001-12-17 -0500, Paul Cardon wrote:
>Nico De Ranter wrote:
> >
>
>> quick question: is it possible to set up a VPN using Checkpoint
>> VPN-1 NG (FP1) with a firewall that is behind a router doing NAT?
>> i.o.w:
>>
>>     fw (e.g. 1.2.3.4) <--> (e.g. 5.6.7.8) NAT router (e.g. 10.0.0.1) <--> fw (e.g. 10.0.0.2)
>>
>> Is this possible using IKE and IPsec? I vaguely remember IPsec uses
>> the ip-address of the firewall for some hashing so this will
>> probably get messed up when using NAT right?
>
>
>
>It is possible as long as both VPN endpoints support UDP encapsulation
>of the IPSEC traffic.
>
>-paul
>
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>If you have any questions on how to change your
>subscription options, email Ron Alcatraz at:
>[email protected]
>=================================================
>

------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.