cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
212
Views
0
Helpful
2
Replies
farzancisco
Beginner

IPSec Header Calculate

Hello everyone,


i have a conflict. Despite the use of IPSec Tunnel in Crypto Map mode, the overhead is not calculated.
The IP MTU value for us is 1500.
I execute the command:
"ping -f -l 1472 10.1.240.155"
that is, I have 28 bytes as overhead.
20 bytes "new IP overhead or external IP" + 8 bytes ICMP overhead.
How was IPSec (ESP header, ESP trailer, etc.) calculated here?
I see nothing.
Can someone please explain that?


Thank you

2 REPLIES 2
Mohammed al Baqari
VIP Advisor

Hi,

Can you check this link for test the header size? Also, make sure
fragmentation is disabled by setting DF in your ping and disable (clear DF
bit for IPSEC traffic on your router/firewall).

https://community.cisco.com/t5/security-documents/ipsec-overhead-calculator-tool/ta-p/3162650

***** please remember to rate useful posts

I checked the link so I asked the question.
IP MTU 1500 bytes
New IPv4 header for IPsec 20 bytes
ESP header 8 bytes
ESP IV 16 bytes
Original IPv4 header 20 bytes
Original IPv4 Paylod X byte
ESP trailer 36 bytes

20 + 8 + 16 + 20 + 36 = 100 byte overhead
That means I didn't have to have more than 1400 Byte IP Paylod.
but I can send 1472 bytes with ICMP.

Interface config:

interface GigabitEthernetX / X / X / X
.
.
.
.
.
crypto ipsec df-bit clear

Create
Recognize Your Peers
Content for Community-Ad