Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

VSAT IPSEC VPN (Encrypt Data Only)? (SOLVED)

Okay Guys, This is a very interesting issue which I do not think many will have come across but it' s something I am now dealing with. The problem for those that do not know about is to do with VSAT connections and how they deal with Acceleration and Latency inherent in Satellite based connections. To deal with these issues a VSAT connection only ACK generally every 3rd packed. This then in turn causes problems with ISPEC based VPN traffic because the VSAT connection is forced to ACK every packed and in essence will drop in performance by 20 - 40% over a non encrypted stream. The issue is dealt with by a few different vendors who have products that just encrypte the data stream and not the headers this means that the satellite can treat it as normal traffic and apply it' s usual enhancement features. One product that does is the VSR-30 by VSAT Systems http://www.vsat-systems.com/end-user-installation/indoor-equipment/vsr-30/ The issue I have is that we a client who would like to do this directly from a Fortigate and not have to use 3rd party products to do this type of connection as adding in other points of failure introduces more issues in the long run. Specially when they want to go to HA which the VSR-30 does not support. So my question is simple at this stage the Fortigate support Transport Layer VPN options which in essence does what I want however it' s designed more for L2TP based Client - Server connections and doesn' t actually route for a Site to Site based connection. I can get the VPN to come out in Transport Layer but no traffic will pass over it. Is it possible to somehow get this to work as this would be a significant boon in Fortinets pocket as you would be the only Firewall Vendor currently providing this solutions to VSAT customers This is probably more a feature request but if there is a way I can get this working now it would be greatly appreciated?
1 REPLY 1
Not applicable

Seems I might have figured this out talking to some friends and thinking outside the box. The issue with Transport IPSEC VPN is the Authentication and I believe this is what was causing a lot of the issues. I have instructed the client to set the Authentication to Autonegoiate in Phase 2 and it seems to have worked the traffic is flowing across the link now. If you have any other form of Authentication the VPN says it' s connected but no traffic seems to route. So Autonegoiate seems to have done the trick
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors