Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1098
Views
0
Helpful
3
Replies

Overhead of IPSEC

redloh
Level 1
Level 1

‎09-25-2002 12:49 PM - edited ‎02-21-2020 12:05 PM

I'm running IPSEC over GRE tunnels and have run into a few problems with customer apps not working during periods of heavy utilization. I increased the MTU of the tunnels to 1600 to compensate for the GRE and IPSEC encaps and it cleared up the problems. What I was wondering is what is the amount of overhead IPSEC adds to the packet? Any help would be appreciated.

Regards,

Keith

Labels:
0 Helpful
3 Replies 3

steve.barlow
Level 7
Level 7

‎09-25-2002 01:55 PM

IPsec lengthens the IP packet by adding at least one IP header (tunnel mode). The added header(s) varies in length depending the IPsec configuration mode but they do not exceed 58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet. IPsec is often deployed in transport mode on top of GRE because the IPsec peers and the GRE tunnel endpoints (the routers) are the same, and transport-mode will save 20 bytes of IPsec overhead. GRE adds 4 bytes of overhead.

See link for some ipsec packet formats: http://www.cisco.com/warp/public/105/crypto_qos.html#topic2

Hope it helps.

Steve

0 Helpful

redloh
Level 1
Level 1
In response to steve.barlow

‎09-25-2002 04:46 PM

That's what I've been looking for. Thanks Steve.

0 Helpful

jrossmann
Level 1
Level 1

‎10-23-2002 01:46 AM

The overhead for IPSec is about 60 bytes for ESP and 40 for AH. But in order to compensate for that you have to LOWER the MTU on the interface.

The physical MTU of the interface cant be canged, but you can tell the router not to send packets larger than 1400 bytes BEFORE transformation, so that they will not get larger than 1500 (physical MTU) after transformation.

Hope that helps

Jan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents