IPSec Traffic Overhead over WAN

haithamnofal · ‎02-22-2007

Hi,

I would like to know the amount of overhead and throughput consumption that a site-to-site IPSec tunnel would create on WAN links, especially the ones with low throughputs like 128 kbps? So, in such link provided that the classification of my data is confidential, is it recommended to implement VPN tunnel and is their any disadvantage from doing so?

Regards,

Haitham

Danilo Dy · ‎02-22-2007

IPsec can impose high CPU overhead on VPN gateways (due to the processing necessary for packet encryption/decryption and authentication). High CPU overhead can be alleviated by using hardware accelerators (this is often a good idea in live deployments, especially on hub-site routers).

IPsec also impose bandwidth overhead. see this link http://articles.techrepublic.com.com/5100-1035_11-6159446-3.html

haithamnofal · ‎02-23-2007

Can you please provide more info on such hardware accelerators? Does Cisco have any similar solutions?

Regards,

Haitham

Danilo Dy · ‎02-23-2007

Yes, Cisco have VPN accelerator to take care of IPSEC VPN packets so as not to stress the CPU. LEt me know your device model

Heres the VPN module for some router model http://www.cisco.com/en/US/products/ps6635/products_qanda_item0900aecd80516d81.shtml

haithamnofal · ‎02-23-2007

You are right, this module enhances the router performance by offloading the VPN to the HW module but it still won't reduce the IPSec overhead over the link! So, in this case the BW consumption won't be reduced!

Please advise!

Regards,

Haitham

Danilo Dy · ‎02-23-2007

Nope, it won't be reduced. Well, there is always a "trade off" whenever one implements security :)