GRE IPsec tunnel and transport mode overhead

Understand how much packet overhead is used in GRE IPsec tunnel vs. transport mode in this technical tip.

Depending on the selected IPsec mode, the overhead introduced in the packet varies. The more overhead, the less...

usable data can be transferred to the other end over a VPN.

In turn, transmitting less usable data means that more packets are necessary to transfer the required data. This means additional time is required to complete the data transfer!

It should be evident how an IPsec mode can introduce a ripple effect, which affects the whole process of transferring data between sites, causing major fragmentation of the encrypted packets and delays.

So how much overhead are we talking about? Let's take a look:

GRE IPsec tunnel mode consists of the following overhead:

ESP Overhead: 52 Bytes
GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes
Total Overhead: 52 + 24 = 76 Bytes

GRE IPsec transport mode consists of the following overhead:

ESP Overhead: 52 Bytes
GRE Overhead: 4 (GRE) = 4 Bytes
Total Overhead: 52 + 4 = 56 Bytes

The result shows a difference of 20 bytes between the two GRE IPsec modes. While this might not seem like much for one packet, when talking about transferring hundreds of megabytes, the overhead is considerable.

The additional overhead can also affect a router's performance when dealing with multiple VPNs at high speed connections. The impact of the additional overhead on a router connected via an asymmetrical digital subscriber line (ADSL) connection might not be noticeable, due to the restricted upload speeds. However, on Symmetric Digital Subscriber Lines (SDSL), Very-high-bit-rate Digital Subscriber Lines (VDSL) or leased lines where network speeds can reach up to 50 to 60 MBps or more, the impact on the router's performance usually is noticeable.

Again, how much a router's performance is hit will also depend on the model, CPU processing power and overall services offered on it.

A good practice is to run IPsec tunnel mode to obtain the best possible security encryption, while ensuring corporate headquarters uses VPN hardware acceleration. This will help alleviate the burden of VPN processing and ensure VPN performance is at its maximum peak!

For more information, view's VPN tutorial.

This was last published in June 2012

Dig Deeper on WAN technologies and services