IPsec overhead question

MatthewHickey7355 · ‎12-15-2022

We have an IPsec s2s tunnel between two FTD units (one physical, one virtual). When you do show cry ipsec sa peer X.X.X.X, there's a part in the output that shows you the IPsec overhead. But it shows two values and that's what is confusing me. See below underlined portion below:

local crypto endpt.: X.X.X.X/XXXX, remote crypto endpt.: X.X.X.X/XXXX
path mtu 1500, ipsec overhead 63(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled

Is this telling me that the overall IPsec overhead is 63 bytes? What does the 44 in parentheses indicate?

MHM Cisco World · ‎12-15-2022

as I know
ipsec overhead 63(44)

44 for SHA
63 for AES

Karsten Iwen · ‎12-15-2022

44 Bytes are the header overhead. This could be build by:

20 Byte new IP header
8 Byte NAT-T
4 Byte SPI
4 Byte Sequence number
8 Byte IV (assuming you use AES-GCM)

63 Bytes is the overhead if we also add the ESP trailer with

1 Byte Padding
1 Byte Pad length
1 Byte Next header
16 Byte ICV

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

MatthewHickey7355 · ‎12-16-2022

So if that is true we are looking at 107 bytes of IPsec overhead on top of IP and TCP payloads. Am I interpreting that correctly?

MatthewHickey7355 · ‎12-16-2022

I think I misread that. 63 is the total overhead you are describing. Sorry, I hadn't had my morning coffee yet!

MHM Cisco World · ‎12-16-2022

coffee first always. LoL..

Karsten Iwen · ‎12-16-2022

@MatthewHickey7355 wrote:

Sorry, I hadn't had my morning coffee yet!

Why do you do such things? That's dangerous ... 😉

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.