Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

too much ipsec encrytion overhead?

i have a 1841 at Head office configured as ezvpn server. Branch offices are vpn client remote 4.8. everything is fine just that the data after encryption doubles in size. for example the total data which is to be sent to the branch is 512 kb, the wan link utilization is arround 900 kb.

can some one help why is this so; 1 thing that just came to my mind.....PADDING...could this be the can it be overcome.


New Member

Re: too much ipsec encrytion overhead?

Another possibility, when not doing end-to-end IPSec, is full packets that are encrypted often need to be spit into two packets to allow room for the IPSec header. Similar to a interface which receives packets with a MTU larger than it supports. If this is happening, insure the end sources use a smaller MTU that allows the IPSec header to be added so the original packet doesn't need to be fragmented.

Don't know if the 1841 supports it, but the adjust mss size command could be very helpful. See

New Member

Re: too much ipsec encrytion overhead?

The issue here is not just padding, but how large the original packets are.

If you have a lot of small packets, the IPSec overhead will be a much higher percentage-addition to the overall traffic.

If, in general, packets are larger, the overhead will be a smaller relative percentage-addition.

Based on your 512kbps --> 900kbps observation (if this is accurate), your data traffic indicates a lot of small packets being sent (since this is nearly doubling the throughput).

Might want to consider this thought.