Solved: Transform-SET ESP Null

waschminator · ‎08-25-2025

Hello,

if we are using ESP-Null for transform-set is it correct that:

-) still a license is necessary if traffic goes beyond 250Mbps

-) it brings performance benefits on catalyst 8000/8000v?

-) it is still a valid option if an unencrypted tunnel is enough but gre can not be used

br + thx

M02@rt37 · ‎08-25-2025

Hello @waschminator

According to RFC 2410, ESP-NULL provides an IPsec tunnel without performing encryption, offering only the ESP header and optional integrity/auth, which mean it can be used whenever confidentiality is not required but encapsulation and authentication are still desired; it inherently improves performance compared to encrypted ESP because no crypto operations are performed, and yes it is a valid option when an unencrypted tunnel is sufficient but GRE cannot be used.

Licence is still required yes.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎08-25-2025

Hello @waschminator

According to RFC 2410, ESP-NULL provides an IPsec tunnel without performing encryption, offering only the ESP header and optional integrity/auth, which mean it can be used whenever confidentiality is not required but encapsulation and authentication are still desired; it inherently improves performance compared to encrypted ESP because no crypto operations are performed, and yes it is a valid option when an unencrypted tunnel is sufficient but GRE cannot be used.

Licence is still required yes.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎08-25-2025

Esp-null so no need IPsec at all.

Use only GRE

MHM

waschminator · ‎08-25-2025

gre is not possible

MHM Cisco World · ‎08-25-2025

This router 8000/8000v ?

Under tunnel

Tunnel mode ?

What options you have

MHM

MHM Cisco World · ‎08-25-2025

Any update?

MHM

waschminator · ‎08-25-2025

gre is not possible because the environment does not support it. it is not a question of the routerconfig. the cisco router supports it for sure

MHM Cisco World · ‎08-25-2025

I already check
mode ipv4 is support and this mode need IPsec profile and hence need transform set.

so you need to use IPsec
for ESP-NULL I dont get anything about if it not need license or not

The point is router count traffic pass via ipsec tunnel as encrypt even if we use esp-null or not.

MHM

MHM Cisco World · ‎08-25-2025

show plat hard qfp active datapath utilize <<- check this command when you use ESP NULL
share it if you can

MHM

waschminator · ‎08-27-2025

R#show plat hard qfp active datapath utilization
CPP 0: Subdev 0 5 secs 1 min 5 min 60 min
Input: Priority (pps) 0 0 0 0
(bps) 0 0 0 0
Non-Priority (pps) 12 12 30 2718
(bps) 6128 5552 132040 23336600
Total (pps) 12 12 30 2718
(bps) 6128 5552 132040 23336600
Output: Priority (pps) 0 0 0 0
(bps) 0 0 0 0
Non-Priority (pps) 10 12 30 2717
(bps) 9256 23600 151664 23990472
Total (pps) 10 12 30 2717
(bps) 9256 23600 151664 23990472
Processing: Load (pct) 3 3 3 4

MHM Cisco World · ‎08-27-2025

23336600 >> around 23 Mbps input

23990472 >> around 23 Mbps output

So in total 23 Mbps each direction

This when you use esp-null

You can try use other esp and check number.

But for now is 10% from 250 Mbps throughput

MHM