Overhead of IPSEC

redloh · ‎09-25-2002

I'm running IPSEC over GRE tunnels and have run into a few problems with customer apps not working during periods of heavy utilization. I increased the MTU of the tunnels to 1600 to compensate for the GRE and IPSEC encaps and it cleared up the problems. What I was wondering is what is the amount of overhead IPSEC adds to the packet? Any help would be appreciated.

Regards,

Keith

steve.barlow · ‎09-25-2002

IPsec lengthens the IP packet by adding at least one IP header (tunnel mode). The added header(s) varies in length depending the IPsec configuration mode but they do not exceed 58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet. IPsec is often deployed in transport mode on top of GRE because the IPsec peers and the GRE tunnel endpoints (the routers) are the same, and transport-mode will save 20 bytes of IPsec overhead. GRE adds 4 bytes of overhead.

See link for some ipsec packet formats: http://www.cisco.com/warp/public/105/crypto_qos.html#topic2

Hope it helps.

Steve

redloh · ‎09-25-2002

That's what I've been looking for. Thanks Steve.

jrossmann · ‎10-23-2002

The overhead for IPSec is about 60 bytes for ESP and 40 for AH. But in order to compensate for that you have to LOWER the MTU on the interface.

The physical MTU of the interface cant be canged, but you can tell the router not to send packets larger than 1400 bytes BEFORE transformation, so that they will not get larger than 1500 (physical MTU) after transformation.

Hope that helps

Jan