GRE Tunnel Vs IPSEC GRE Tunnel

saquib.nawazz · ‎08-03-2009

Is it possible to get some calculation on the overhead on moving from standard GRE Tunnel to IPSEC GRE Tunnel.

With GRE Tunnel when I do a normal ping to another network on remote end it takes 150ms what is expected with IPSEC GRE Tunnel.

Any suggestion to optimize for better performance.

Istvan_Rabai · ‎08-03-2009

Hi Saquib,

Routers generally do encryption on their processors so it puts an additional burden on the processor, especially when traffic is large.

I don't believe there is an exact formula to calculate the delay that IPSec encryption introduces.

Delay of course will depend on the encryption type and key length.

If you really want to decrease delay introduced by IPSec encryption, you may want to apply an encryption module in your router:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps4221/product_data_sheet09186a00800c4fe2.html

http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps5308/product_data_sheet09186a008017dc0a.html

Here, encryption is made in hardware with very high speed that reduces calculation delay significantly.

Cheers:

Istvan

srue · ‎08-03-2009

another option is if you have a firewall (eg ASA) that already does hardware encryption through which your gre tunnel passes, you can just encrypt the gre tunnel at that point.

Leo Laohoo · ‎08-03-2009

Another method is to apply a data encryptor.

Joseph W. Doherty · ‎08-03-2009

"Any suggestion to optimize for better performance."

Avoid packet fragmentation. I.e. insure PMTU works correctly. Also, if platform supported, use the TCP adjust-mss command. See http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml for more info.