Solved: IPSec overhead

Bruin2781 · ‎05-15-2015

Hi All

I need some help trying to figure out the IPsec overhead in ESP Tunnel mode.
Scanning the internet makes me believe the overhead must be between 51 - 58 bytes

When testing this in Wireshark makes my head spin.

R1 --- R2 --- R3-- R4 (IPsec tunnel between R2 and R3)

Capture before and after IPsec tunnel
Total = 1414 bytes
- Ethernet Header 14 bytes
- IP header 20 bytes
- ICMP header 8 bytes
- payload 1372

Capture tunnel data (between R2 & R3)
Total = 1478 bytes
- Ethernet header 14 bytes
- IP header 20 bytes
- ESP ??? (encapulate ip.h & icmp.h)

The difference between the packets is now 1478 - 1414 = 64 bytes
ESP is creating an extra IP header of 20 bytes
64 bytes - 20 bytes (extra IP header) = makes the IPSec overhead 44 bytes
What am i missing here, why is the overhead not between 51 and 58 byte.

Thanks

Mark Malone · ‎05-15-2015

Theres a tool on Cisco website may help as well

https://cway.cisco.com/tools/ipsec-overhead-calc/ipsec-overhead-calc.html

View solution in original post

Karsten Iwen · ‎05-15-2015

Your increase of 64 Bytes look perfectly fine:

Bruin2781 · ‎05-15-2015

Thanks for the quick answer

So when using IPSec in tunnel mode and you don't want to calculate the exact overhead it is save to adjust the MTU with the max possible IPSec header of 73 bytes. and for IPSec in transport mode 53 bytes.

Karsten Iwen · ‎05-15-2015

Typically you don't adjust the MTU but the MSS is reduced for example by 80 Bytes to 1380. Also be aware that there could be other overhead as well like the 8 Bytes on DSL-connections.

Mark Malone · ‎05-15-2015

Theres a tool on Cisco website may help as well

https://cway.cisco.com/tools/ipsec-overhead-calc/ipsec-overhead-calc.html