What is the difference between an IPsec tunnel and a normal tunnel, and what is the bandwidth of eac

I have a Fast Ethernet connection to my ISP that I've configured to support three IPsec tunnels and three normal tunnels. What is the bandwidth of each tunnel? Can I configure the bandwidth for each tunnel? What is the difference between an IPsec tunnel and a normal tunnel?
Methods commonly used to tunnel traffic include IP-in-IP and the Generic Routing Encapsulation (GRE). I suspect that your "normal tunnels" are using one of these methods to carry IP packets from one network to another without regard to the network topology that lies between them. These methods simply wrap an inner IP packet inside an outer IP packet. Routers encountered between the tunnel endpoints look only at the outer IP packet header to determine whether and how to forward the packet towards the outer destination. The inner IP headers are only used once the packet reaches the outer destination IP. There, the outer headers are stripped before the packet is forwarded towards the inner destination. For example, inner IP headers may contain private (non-routable) addresses like 192.168.0.x or 10.x.x.x. Tunneling lets a privately-addressed packet to traverse a public network like the Internet or your ISP's backbone network.

Psec can be used in tunnel mode or transport mode, but most VPNs use IPsec in tunnel mode. IPsec in tunnel mode...

works just like I've described with respect to encapsulation and traversing intervening networks. But IPsec ALSO uses security measures to protect the inner IP packet from eavesdropping, replay, insertion, or modification. For example, IPsec ESP in tunnel mode encrypts the entire inner packet (including the inner packet's IP header) so that nobody in between can see the ultimate source or destination, type of application, or data payload. IPsec ESP and AH in tunnel mode use a hashed message authentication code to detect any change to the inner IP packet. Your "normal tunnels" probably do not have this type of cryptographic protection, which means that someone could inject modified packets or intercept your data in transit. If you are sending confidential information and need to be sure that no one (including your ISP) can tamper with that information, you should use IPsec tunnels.

Bandwidth management is independent of tunneling method. Products without bandwidth management features don't allocate any specific bandwidth to each tunnel -- all tunnels share the aggregate bandwidth of the data link, first-come first-serve. On the other hand, if your firewall or router provides bandwidth management, it may do so in a wide variety of ways. It might let you prioritize tunnels so that one tunnel gets "first dibs" on available bandwidth (i.e., packets for that tunnel get processed first). Or it might let you assign a maximum throughput to each tunnel, or possibly burstable throughputs. For example, if your link supports 100 Mbps, you might configure a 10 Mbps limit for each of your 6 tunnels. Depending on the product, the tunnels might share any unused capacity on a FCFS or priority basis, or spare capacity might go unused if 10 Mbps is treated as an absolute upper bound. Because bandwidth management features vary widely and are product specific, you'll need to consult your firewall or router's documentation to learn about bandwidth controls (if any) applied to your tunnels.

This was last published in April 2004

Dig Deeper on Network Design



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.