too much ipsec encrytion overhead?

srmumtaz01 · ‎06-22-2007

i have a 1841 at Head office configured as ezvpn server. Branch offices are vpn client remote 4.8. everything is fine just that the data after encryption doubles in size. for example the total data which is to be sent to the branch is 512 kb, the wan link utilization is arround 900 kb.

can some one help why is this so; 1 thing that just came to my mind.....PADDING...could this be the reason.....how can it be overcome.

thanks

jwdoherty · ‎07-27-2007

Another possibility, when not doing end-to-end IPSec, is full packets that are encrypted often need to be spit into two packets to allow room for the IPSec header. Similar to a interface which receives packets with a MTU larger than it supports. If this is happening, insure the end sources use a smaller MTU that allows the IPSec header to be added so the original packet doesn't need to be fragmented.

Don't know if the 1841 supports it, but the adjust mss size command could be very helpful. See http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

mwasserman · ‎07-30-2007

The issue here is not just padding, but how large the original packets are.

If you have a lot of small packets, the IPSec overhead will be a much higher percentage-addition to the overall traffic.

If, in general, packets are larger, the overhead will be a smaller relative percentage-addition.

Based on your 512kbps --> 900kbps observation (if this is accurate), your data traffic indicates a lot of small packets being sent (since this is nearly doubling the throughput).

Might want to consider this thought.