VPN Technologies & Associated Overheads

Whenever we think of configuring a VPN tunnel, we always take into consideration, the amount of impact it would have on the performance of the router or firewall. Degradation of performance of device is directly proportional to kind of encryption and encapsulation used in the VPN tunnel. I am to find a table containing overhead details for all the VPN tunnel types with various encryption and encapsulation standards, sharing the same below  –

 Tunneling VPN encapsulation Overhead
GRE, mGRE or DMVPN without IPSec 24 bytes
IPSec transport mode (DES/3DES) 18 – 25 bytes
IPSec transport mode DES/3DES + SHA-1/MD5 30 – 37 bytes
IPSec tunnel mode DES/3DES 38 – 45 bytes
IPSec tunnel mode DES/3DES + SHA-1/MD5 50 – 57 bytes
IPSec transport mode AES + SHA-1 38 – 53 bytes
IPSec tunnel mode AES + SHA-1 58 – 73 bytes
GRE/DMVPN + IPSec transport mode DES/3DES 42 – 49 bytes
GRE/DMVPN + IPSec transport mode DES/3DES + SHA-1/MD5 54 – 61 bytes
GRE/DMVPN + IPSec transport mode AES + SHA-1 62 – 77 bytes

Variation in sizes of overheads is because of the padding option, using padding for encryption, to extend the payload data to a size that fits the encryption’s cipher block size, and to align the next field

To prevent fragmentation of GRE or IPSec packets (and subsequent performance degradation of the receiving router) you should lower the MTU on the tunnel interface. The following tables document the overhead and the recommended MTUs –

Tunneling VPN encapsulation  Maximum MTU Recommended MTU
GRE, mGRE or DMVPN without IPSec 1476 1476
IPSec VTI (DES/3DES) 1456 1400
IPSec VTI (AES + SHA-1) 1428 1400
GRE/DMVPN + IPSec DES/3DES +SHA-1/MD5 1440 1400
GRE/DMVPN + IPSec AES + SHA-1 1424 1400

So, while choosing a VPN technology for yourself, you should always take a close look at the hardware you plan to use, your business requirement and performance.