Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

GRE Tunnel Vs IPSEC GRE Tunnel

Is it possible to get some calculation on the overhead on moving from standard GRE Tunnel to IPSEC GRE Tunnel.

With GRE Tunnel when I do a normal ping to another network on remote end it takes 150ms what is expected with IPSEC GRE Tunnel.

Any suggestion to optimize for better performance.

4 REPLIES

Re: GRE Tunnel Vs IPSEC GRE Tunnel

Hi Saquib,

Routers generally do encryption on their processors so it puts an additional burden on the processor, especially when traffic is large.

I don't believe there is an exact formula to calculate the delay that IPSec encryption introduces.

Delay of course will depend on the encryption type and key length.

If you really want to decrease delay introduced by IPSec encryption, you may want to apply an encryption module in your router:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps4221/product_data_sheet09186a00800c4fe2.html

http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps5308/product_data_sheet09186a008017dc0a.html

Here, encryption is made in hardware with very high speed that reduces calculation delay significantly.

Cheers:

Istvan

Gold

Re: GRE Tunnel Vs IPSEC GRE Tunnel

another option is if you have a firewall (eg ASA) that already does hardware encryption through which your gre tunnel passes, you can just encrypt the gre tunnel at that point.

Hall of Fame Super Gold

Re: GRE Tunnel Vs IPSEC GRE Tunnel

Another method is to apply a data encryptor.

Super Bronze

Re: GRE Tunnel Vs IPSEC GRE Tunnel

"Any suggestion to optimize for better performance."

Avoid packet fragmentation. I.e. insure PMTU works correctly. Also, if platform supported, use the TCP adjust-mss command. See http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml for more info.

1031
Views
0
Helpful
4
Replies
CreatePlease to create content