5 Replies Latest reply on Mar 5, 2012 11:45 AM by levi

    VPN Overhead

    dcorrea Visitor

      Dear Guys,


      I'm writing you because I have a situation with a VPNs traffic, I was questioned about if a traffic over a VPN consumes more bandwidth than a NAT traffic to reach a web server.


      Imagine this, I have a Web server hosted on a data center, and for reach it I can use a static NAT with a public IP, or use a VPN tunnel from the remote location to the data center.


      My answer is that the traffic will generate more overhead and consume more bandwith because the encryption and payloads headers of the VPN, in contrast if the remote site uses the access directly to the internet across the public IP of the server it will consume less bandwidth.


      If my asseveration is good, I would like to ask for a technical document in which we can prove how overload the VPN traffic generates.


      Would you help me here!?


      Thanks in advance,

        • Re: VPN Overhead

          Thank you for asking this question.  If I understand your question properly, you are asking which takes up more bandwidth an IPSec VPN or a NAT'ed packet.  The answer is an IPSec VPN takes up more bandwidth.  As you stated, the IPSec VPN adds additional overhead for encryption and hashing.  The table below specifies how much overhead is added for each IPSec Transform set variation:


          IPSec Transform Set CombinationMaximum IPSec Overhead (Bytes)
          esp-(3des or des) esp-(sha or md5)-hmac


          esp-(3des or des)45
          esp-aes-(128, 192, or 256) esp-(sha or md5)-hmac73
          esp-aes-(128, 192, or 256)61
          ah-(sha or md5)-hmac esp-(3des or des)69
          ah-(sha or md5)-hmac esp-aes-(128, 192, or 256)85
          ah-(sha or md5)-hmac44


          This information can be found in the document Configuring a GRE over IPSEC VPN Tunnel in AOS.


          I hope this makes sense, but please do not hesitate to reply to this discussion with any additional questions or information.  I will be happy to assist you in any way I can.



            • Re: VPN Overhead
              dcorrea Visitor

              Dear Levi,


              Thanks for the explanation and yes you understand my question properly.


              So now let me see if I understand, let's assume that I'm going to send a 64bytes  packet, for each of them, if for example I used the transform set esp-(3des or des) I should add 45 bytes to each packet of the transmitted packet, right!? so we are going to have a total of 109bytes.


              Is this correct!?


              Thanks again,