Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
0
Helpful
2
Replies

IPSec Header Calculate

farzancisco
Level 1
Level 1

‎09-15-2021 01:28 AM

Hello everyone,


i have a conflict. Despite the use of IPSec Tunnel in Crypto Map mode, the overhead is not calculated.
The IP MTU value for us is 1500.
I execute the command:
"ping -f -l 1472 10.1.240.155"
that is, I have 28 bytes as overhead.
20 bytes "new IP overhead or external IP" + 8 bytes ICMP overhead.
How was IPSec (ESP header, ESP trailer, etc.) calculated here?
I see nothing.
Can someone please explain that?


Thank you

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎09-15-2021 03:29 AM

Hi,

Can you check this link for test the header size? Also, make sure
fragmentation is disabled by setting DF in your ping and disable (clear DF
bit for IPSEC traffic on your router/firewall).

https://community.cisco.com/t5/security-documents/ipsec-overhead-calculator-tool/ta-p/3162650

***** please remember to rate useful posts

0 Helpful

farzancisco
Level 1
Level 1
In response to Mohammed al Baqari

‎09-15-2021 03:58 AM

I checked the link so I asked the question.
IP MTU 1500 bytes
New IPv4 header for IPsec 20 bytes
ESP header 8 bytes
ESP IV 16 bytes
Original IPv4 header 20 bytes
Original IPv4 Paylod X byte
ESP trailer 36 bytes

20 + 8 + 16 + 20 + 36 = 100 byte overhead
That means I didn't have to have more than 1400 Byte IP Paylod.
but I can send 1472 bytes with ICMP.

Interface config:

interface GigabitEthernetX / X / X / X
.
.
.
.
.
crypto ipsec df-bit clear

0 Helpful
Customers Also Viewed These Support Documents