Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Overhead of IPSEC

I'm running IPSEC over GRE tunnels and have run into a few problems with customer apps not working during periods of heavy utilization. I increased the MTU of the tunnels to 1600 to compensate for the GRE and IPSEC encaps and it cleared up the problems. What I was wondering is what is the amount of overhead IPSEC adds to the packet? Any help would be appreciated.

Regards,

Keith

3 REPLIES

Re: Overhead of IPSEC

IPsec lengthens the IP packet by adding at least one IP header (tunnel mode). The added header(s) varies in length depending the IPsec configuration mode but they do not exceed 58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet. IPsec is often deployed in transport mode on top of GRE because the IPsec peers and the GRE tunnel endpoints (the routers) are the same, and transport-mode will save 20 bytes of IPsec overhead. GRE adds 4 bytes of overhead.

See link for some ipsec packet formats: http://www.cisco.com/warp/public/105/crypto_qos.html#topic2

Hope it helps.

Steve

New Member

Re: Overhead of IPSEC

That's what I've been looking for. Thanks Steve.

New Member

Re: Overhead of IPSEC

The overhead for IPSec is about 60 bytes for ESP and 40 for AH. But in order to compensate for that you have to LOWER the MTU on the interface.

The physical MTU of the interface cant be canged, but you can tell the router not to send packets larger than 1400 bytes BEFORE transformation, so that they will not get larger than 1500 (physical MTU) after transformation.

Hope that helps

Jan

490
Views
0
Helpful
3
Replies
CreatePlease login to create content