Problem solve Get help with specific problems with your technologies, process and projects.

Determining IPsec tunneling, bandwidth capacity

VPN router tunnels, including IPsec tunnels, are demystified in this tip as well as bandwidth management and determining bandwidth capacity for router tunnels.

"Normal tunnels" are using one of two common methods -- IP-in-IP or Generic Routing Encapsulation (GRE) -- to carry...

IP packets from one network to another without regard to the network topology that lies between them. These methods simply wrap an inner IP packet inside an outer IP packet. Routers encountered between the tunnel endpoints look only at the outer IP packet header to determine whether and how to forward the packet towards the outer destination. The inner IP headers are only used once the packet reaches the outer destination IP. There, the outer headers are stripped before the packet is forwarded towards the inner destination. For example, inner IP headers may contain private (non-routable) addresses like 192.168.0.x or 10.x.x.x. Tunneling lets a privately-addressed packet traverse a public network like the Internet or your ISP's backbone network.

IPsec can be used in tunnel mode or transport mode, but most VPNs use IPsec in tunnel mode. IPsec in tunnel mode works just like I've described with respect to encapsulation and traversing intervening networks. But IPsec also uses security measures to protect the inner IP packet from eavesdropping, replay, insertion, or modification. For example, IPsec ESP in tunnel mode encrypts the entire inner packet (including the inner packet's IP header) so that nobody in between can see the ultimate source or destination, type of application, or data payload. IPsec ESP and AH in tunnel mode use a hashed message authentication code to detect any change to the inner IP packet. Your "normal tunnels" probably do not have this type of cryptographic protection, which means that someone could inject modified packets or intercept your data in transit. If you are sending confidential information and need to be sure that no one (including your ISP) can tamper with that information, you should use IPsec tunnels.

Bandwidth management is independent of tunneling method. Products without bandwidth management features don't allocate any specific bandwidth to each tunnel -- all tunnels share the aggregate bandwidth of the data link, first-come first-serve (FCFS). On the other hand, if your firewall or router provides bandwidth management, it may do so in a wide variety of ways. It might let you prioritize tunnels so that one tunnel gets "first dibs" on available bandwidth (i.e., packets for that tunnel get processed first). Or it might let you assign a maximum throughput to each tunnel, or possibly burstable throughputs. For example, if your link supports 100 Mbps, you might configure a 10 Mbps limit for each of your 6 tunnels. Depending on the product, the tunnels might share any unused capacity on a FCFS or priority basis, or spare capacity might go unused if 10 Mbps is treated as an absolute upper bound. Because bandwidth management features vary widely and are product specific, you'll need to consult your firewall or router's documentation to learn about bandwidth controls (if any) applied to your tunnels.

This question was asked at Ask the Experts on

Lisa Phifer, Contributing expert

About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to and

This was last published in May 2009

Dig Deeper on WAN technologies and services