In turn, transmitting less usable data means that more packets are necessary to transfer the required data. This means additional time is required to complete the data transfer!
It should be evident how an IPsec mode can introduce a ripple effect, which affects the whole process of transferring data between sites, causing major fragmentation of the encrypted packets and delays.
So how much overhead are we talking about? Let's take a look:
GRE IPsec tunnel mode consists of the following overhead:
ESP Overhead: 52 Bytes GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes Total Overhead: 52 + 24 = 76 Bytes
GRE IPsec transport mode consists of the following overhead:
ESP Overhead: 52 Bytes GRE Overhead: 4 (GRE) = 4 Bytes Total Overhead: 52 + 4 = 56 Bytes
The result shows a difference of 20 bytes between the two GRE IPsec modes. While this might not seem like much for one packet, when talking about transferring hundreds of megabytes, the overhead is considerable.
The additional overhead can also affect a router's performance when dealing with multiple VPNs at high speed connections. The impact of the additional overhead on a router connected via an asymmetrical digital subscriber line (ADSL) connection might not be noticeable, due to the restricted upload speeds. However, on Symmetric Digital Subscriber Lines (SDSL), Very-high-bit-rate Digital Subscriber Lines (VDSL) or leased lines where network speeds can reach up to 50 to 60 MBps or more, the impact on the router's performance usually is noticeable.
Again, how much a router's performance is hit will also depend on the model, CPU processing power and overall services offered on it.
A good practice is to run IPsec tunnel mode to obtain the best possible security encryption, while ensuring corporate headquarters uses VPN hardware acceleration. This will help alleviate the burden of VPN processing and ensure VPN performance is at its maximum peak!
For more information, view SearchEnterpriseWAN.com's VPN tutorial.
This was first published in June 2012