[asterisk-users] New thread - SIP over VPN

Hans Witvliet hwit at a-domani.nl
Sun Sep 27 07:30:12 CDT 2009


On Sat, 2009-09-26 at 22:47 -0700, Dave Platt wrote:
>  >> Isn't an SSL based tunnel all TCP?

> 
> There seems to be a good deal of feeling (and evidence) that
> trying to use TCP as the container for a tunnel is likely
> to cause more trouble than it solves.  Yes, the TCP layer
> will make the tunnel "reliable" - but at the expense of
> adding unpredictable amounts of latency, due to TCP's
> built-in exponential-backoff retry timing.  Things get
> *really* nasty if you try to wrap one TCP connection in
> another, because both connections will be independently
> retrying any lost or delayed packets - you'll end up
> retransmitting quite a bit more data than you would if
> you simply used TCP/IP (or TCP/IP wrapped in UDP/IP)
> and throughput will suffer.
> 

That is the main reason why the widespread of (TCP) SSH-tunnels is
discouraged: as you get an TCP-protocol encapsulated in another
TCP-layer.
Missing frames will be corrected by the outermost TCP-protocal-suite,
however as soon as you got a bad-connection (Often wifi) and are
confronted with timeouts, re-transmissions will on make things worse.
and end-up with a snowball-effect.

So i would opt for ipsec-tunnel or openvpn with UDP.
If you have a rock-solid connection you could even use an openSSH-vpn
tunnel.

hw



More information about the asterisk-users mailing list