IPSec VPN over Starlink?

Is anyone doing IPSec VPN’s over starlink? Site to site style?

Currently trying to work a solution for a client, cisco platform all around - and best idea is to use IPSec VTI tunnels. This particular install is using Starlink business so we should get the public IP direct on the cisco, but we may have a need to do it on residential which is CGNAT stuff with dynamic IP’s .

Whats the best solution here?

I’ve previously tried l2tp VPN over residential starlink, and found the tunnel was limited to about ~30mbps, not sure if this was an unrelated issue, but other VPN’s to the same concentrator did not have any issues, so I thought perhaps starlink was PCQ the tunnel (seeing it as a single flow).

Just keen to hear peoples experiences so I can push myself to the right solution.

Thanks!

I’m running site-to-site Wireguard with a persistent keepalive over Starlink (terminates at a VPS and a couple other sites). OSPF runs over the tunnels. It’s been rock solid.

Yea we are running ADVPN over Starlink with Fortigates. Works solid as a rock. Just need to keep in mind on the standard dish you get a CGNAT address so need to use a dialup vpn

We are running a dialup IPSEC tunnel on a residential Starlink connection and works great. I am getting 150 or so down through the tunnel.

Tunnel Device: FortiGate81e-POE

Some firewalls (example PFsense as one) can be setup so that one side is an initiator only. So one side can be the one reaching out to the side with a public ip address

Also some firewalls can use DNS names with for their endpoint address. So you could use some dynamic update tool to update the domain name. This again depends on the firewall

If I’m understanding you correctly, I’ve done something similar with Flex-VPN and a phase III DMVPN (over cellular/Viasat/idirect). As far as throughput, there could be a lot of factors contributing to that one (hardware, interface configuration, licensing limiting speeds/CPU utilization).

Obvious suggestion but make sure to tune the mtu as fragmentation and loss across these links could compound issues.

Also starlink could be doing some in network qos or shaping that tunneling would obscure.

Customer has got an Aruba SD-branch site running on Starlink. This uses ipsec. It’s mostly rock solid, except for the odd time the link itself drops due to satellite coverage in the area. No complaints otherwise.

We use flexvpn and the latency is around 150~200 ms. It does drop every now and again and the ikev2 negotiation takes about 50 seconds to come back up.

Using various flavours of SDWAN over star link with minimal issues.

I’ve try to build an IPSEC but the tunnel doesn’t set up. Checking the support page, i found out IPSEC packs are dropped by CGNAT. So i did an openvpn site to site.

I’m running IPsec to a Starlink residential site, on Juniper SRX. I also have management tunnels to the same site using WireGuard. These land in Docker containers.

Anyone done Cisco Ipsec on 1000 series running ASA?

It’ll work, but be aware performance will be drastically reduced due to TCP spoofing optimization techniques used by Starlink.

Do you use any specific hardware for this, or is it just a custom-built linux box?

What’s the latency like?

Mikrotik can do this.

Other replier guessed correctly, I happen to be using Mikrotik gear. A Linux box with FRR or a Vyos router could do the same. Should also be possible with IPSec if there’s some sort of keep-alive to keep the tunnel up (it’s been a while since I’ve touched IPsec).

it’s between about 50ms and 150ms, at least on my link.

I don’t have any latency numbers I can give right now but ,essentially it a remote office with 4 - machines and 10-15 users. Lots of YouTube for training and public wifi access for their phone and access to corporate resource through those 4-5 machines. With no complaints. Mind you they are coming from a 1.5mbs DSL.