cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

VPN Overhead

Jump to solution

Dear Guys,

I'm writing you because I have a situation with a VPNs traffic, I was questioned about if a traffic over a VPN consumes more bandwidth than a NAT traffic to reach a web server.

Imagine this, I have a Web server hosted on a data center, and for reach it I can use a static NAT with a public IP, or use a VPN tunnel from the remote location to the data center.

My answer is that the traffic will generate more overhead and consume more bandwith because the encryption and payloads headers of the VPN, in contrast if the remote site uses the access directly to the internet across the public IP of the server it will consume less bandwidth.

If my asseveration is good, I would like to ask for a technical document in which we can prove how overload the VPN traffic generates.

Would you help me here!?

Thanks in advance,

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: VPN Overhead

Jump to solution

Thank you for asking this question.  If I understand your question properly, you are asking which takes up more bandwidth an IPSec VPN or a NAT'ed packet.  The answer is an IPSec VPN takes up more bandwidth.  As you stated, the IPSec VPN adds additional overhead for encryption and hashing.  The table below specifies how much overhead is added for each IPSec Transform set variation:

IPSec Transform Set CombinationMaximum IPSec Overhead (Bytes)
esp-(3des or des) esp-(sha or md5)-hmac

57

esp-(3des or des)45
esp-aes-(128, 192, or 256) esp-(sha or md5)-hmac73
esp-aes-(128, 192, or 256)61
ah-(sha or md5)-hmac esp-(3des or des)69
ah-(sha or md5)-hmac esp-aes-(128, 192, or 256)85
ah-(sha or md5)-hmac44

This information can be found in the document Configuring a GRE over IPSEC VPN Tunnel in AOS.

I hope this makes sense, but please do not hesitate to reply to this discussion with any additional questions or information.  I will be happy to assist you in any way I can.

Levi

View solution in original post

0 Kudos
5 Replies
Anonymous
Not applicable

Re: VPN Overhead

Jump to solution

Thank you for asking this question.  If I understand your question properly, you are asking which takes up more bandwidth an IPSec VPN or a NAT'ed packet.  The answer is an IPSec VPN takes up more bandwidth.  As you stated, the IPSec VPN adds additional overhead for encryption and hashing.  The table below specifies how much overhead is added for each IPSec Transform set variation:

IPSec Transform Set CombinationMaximum IPSec Overhead (Bytes)
esp-(3des or des) esp-(sha or md5)-hmac

57

esp-(3des or des)45
esp-aes-(128, 192, or 256) esp-(sha or md5)-hmac73
esp-aes-(128, 192, or 256)61
ah-(sha or md5)-hmac esp-(3des or des)69
ah-(sha or md5)-hmac esp-aes-(128, 192, or 256)85
ah-(sha or md5)-hmac44

This information can be found in the document Configuring a GRE over IPSEC VPN Tunnel in AOS.

I hope this makes sense, but please do not hesitate to reply to this discussion with any additional questions or information.  I will be happy to assist you in any way I can.

Levi

0 Kudos
Anonymous
Not applicable

Re: VPN Overhead

Jump to solution

Dear Levi,

Thanks for the explanation and yes you understand my question properly.

So now let me see if I understand, let's assume that I'm going to send a 64bytes  packet, for each of them, if for example I used the transform set esp-(3des or des) I should add 45 bytes to each packet of the transmitted packet, right!? so we are going to have a total of 109bytes.

Is this correct!?

Thanks again,

Anonymous
Not applicable

Re: VPN Overhead

Jump to solution

Yes, your understanding is correct.  A 64 byte packet encrypted bythe IPSec transform set esp-(3des or des) would add 45 bytes to the original packet, for a total of 109 bytes.

Let me know if you have additional questions.

Levi

Anonymous
Not applicable

Re: VPN Overhead

Jump to solution

Dear Levi,

Thanks for all the help, now everything is clear.

We keep in touch,

Anonymous
Not applicable

Re: VPN Overhead

Jump to solution

I have marked this question as "assumed answered," but do not hesitate to reply to this post with additional questions on this topic.

Levi