1


we have successfully setup a Site-to-site IPSec VPN connection between our two offices in Germany and China. Below are the characteristics of both sites, VPN and current speeds:

Germany
VPN Router Zyxel Zywall USG 100
Site's Internet speed: 50/50 Mbps

VPN Tunnel
Type: IPSec
Authentication: SHA-1
Encryption: AES-128
MSS Auto

China
VPN Router Cisco RV180 Multifunction VPN Firewall
Site's Internet speed: 20/20 Mbps

Current Speeds
Ping from Germany to China: 250 - 350 ms
Ping from China to Germany: 250 - 300 ms
File Transfer speeds between sites: avg. 10KB/s

Traceroute from Germany to China
Tracing route to [10.67.8.189] over a maximum of 30 hops:
1 <1 ms 1 ms 1 ms 10.67.5.1
2 * * * Request timed out.
3 * * * Request timed out.
4 370 ms 366 ms 336 ms [10.67.8.189]

Trace complete.

As you can see, we have major speed problems, making even Remote Desktop sometimes unusable. Previously, I have used L2TP between these sites and the performance was much better, RDP usable.

Any advice appreciated. Let me know if you need more information.

Best,

Tom

Tom
  • 11
  • 1
  • 3
  • 250/300 ms are really high RTT times. Can you edit your post adding traceroute informations? – unlink Oct 27 '14 at 13:18
  • 2
    I wouldn't discount the great firewall of China interfering with this traffic. – EEAA Oct 27 '14 at 13:40
  • Will have a lot to do with the carriers you are using at the POP to POP latency as well. – Travis Stoll Oct 27 '14 at 14:58
  • I hope it's not the Great Firewall. Is there a best practice for site-to-site over the Chinese borders? Perhaps another protocol or encryption? – Tom Oct 27 '14 at 16:09

1 Answers1

2

The speed/throughput may be some external factor, as EEAA mentions. But in general, when I've needed to provide remote access across long distance links (Chicago-Hong Kong or London-Seoul), RDP was not an option. Latency kills you at those distances...

Do you have the option to use something that's a bit better with high-latency long-distance links? Citrix (of course) and Ericom Blaze (and RDP accelerator) come to mind, as they fare much better in the conditions you describe.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • It's not only about RDP. The Office in China is a branch office with child domain, we are replicating 1 domain controller over the link. We need to keep the Offices connected on a acceptable level, at least 60KB/s. L2TP was faster but it's not an option now due to lower security. – Tom Oct 27 '14 at 16:16
  • @Tom Hm, so that's why China doesn't mess with L2TP... – Michael Hampton Oct 27 '14 at 17:05
  • @MichaelHampton Yes, but obviously we can't be transferring data in plain text between our sites. – Tom Oct 28 '14 at 08:08
  • I still haven't resolved this. However I must say it's a challenging task to stand against China. – Tom Oct 30 '14 at 14:38