I am facing a very simple problem with IPSec in ESP Tunnel mode.
My objective here is to know the precise overhead added to normal payload by IPSec in ESP tunnel mode.
As per Cisco docmentation I read some where that it is up to 57 bytes. However in reality it is taking up to 58 bytes, is it correct? or I miss something?
With the default MTU Size from end to end (I mean 1500 Bytes across the IP Sec peers), I can ping with payload of maximum 1414 bytes from windows PC(This does not include IP header and ICMP Header).
My test results are as below.
When I use payload size of 1409, total ip length in outer ip header should be
1409 data+ 8byte ICMP Header+20 bytes ip header+20 byte new ip header by ESP in tunnel mode+ 16 Byte ESP Header+2Byte ESP Trailer+12 byte ESP Authentication data
Total makes 1487 but in sniffer I found total ip length as 1488. Where is that 1 byte going?
IP length is 1488 for data payload of 1409 to 1402 bytes. I think this is due the rule that while doing Encryption payload size should be multiple of 8.
If I make pay load 1410..........Total IP lenght is becoming 1496.
From the above my assumption is IPSec In ESP Tunnel mode overhead is from 51~58 Bytes.
Is above is correct?
Thanks in advance.