🔒 Tunnel Configuration
bytes
Enter packet size 40–9000 bytes.
Standard Ethernet: 1500 • Jumbo: 9000 • VoIP: 60–200
GRE over IPSec is the standard DMVPN / FlexVPN config
AES-GCM preferred: no padding, faster, integrated auth
Select GCM integrated if using AES-GCM above
Mbps
For effective throughput calculation
Total Tunnel Overhead
—
Sources & Methodology
Header sizes from RFC 4303 (ESP), RFC 4302 (AH), RFC 2784 (GRE), RFC 3948 (NAT-T). AES-GCM IV from NIST SP 800-38D.
RFC 4303 — IP Encapsulating Security Payload (ESP)
Defines ESP header (8 bytes), IV sizes for AES-CBC (16B) and AES-GCM (8B), ESP trailer format (Pad + NH = 2B), and ICV sizes for HMAC variants. Source for all ESP overhead calculations.
RFC 4302 — IP Authentication Header (AH)
Defines AH fixed header (8 bytes) plus ICV. Source for AH overhead used in authentication-only IPSec tunnel configurations.
RFC 2784 — Generic Routing Encapsulation (GRE)
Defines GRE mandatory header (4 bytes) plus outer IP header (20 bytes). Source for GRE overhead of 24 bytes minimum in GRE and GRE over IPSec configurations.
Methodology:
ESP tunnel: 20B (new IP) + 8B (ESP hdr) + IV + AES-CBC padding + 2B (trailer) + ICV
GRE: 20B (new IP) + 4B (GRE hdr) = 24B
GRE over IPSec transport: 24B (GRE) + 8B (ESP hdr) + IV + pad + 2B + ICV
AES-CBC padding: next multiple of 16 minus (payload+2). AES-GCM: no padding. NAT-T adds 8B UDP encapsulation. Overhead % = overhead / (overhead + payload) x 100. Effective MTU = interface MTU - overhead. Effective throughput = link Mbps x (1 - overhead pct).
Last reviewed: April 2026
How Is IPSec and GRE Overhead Calculated?
Every VPN tunnel wraps the original IP packet in one or more additional headers. The total overhead determines the effective MTU of the tunnel and proportionally reduces throughput. Accurate calculation is critical for avoiding fragmentation, sizing VPN concentrators, and ensuring voice and video traffic has sufficient headroom.
IPSec ESP Tunnel Mode: new IP(20) + ESP(8) + IV + padding + trailer(2) + ICV
Example — AES-256-CBC, HMAC-SHA2-256-128, 1500-byte IP packet:
New IP: 20B • ESP header: 8B • IV: 16B • ESP trailer: 2B
AES-CBC padding: ceil((1500+2)/16) x 16 - 1502 = 1504 - 1502 = 2B
ICV: 16B
Total overhead = 20+8+16+2+2+16 = 64 bytes
Effective MTU on 1500-byte link = 1500 - 64 = 1436 bytes
New IP: 20B • ESP header: 8B • IV: 16B • ESP trailer: 2B
AES-CBC padding: ceil((1500+2)/16) x 16 - 1502 = 1504 - 1502 = 2B
ICV: 16B
Total overhead = 20+8+16+2+2+16 = 64 bytes
Effective MTU on 1500-byte link = 1500 - 64 = 1436 bytes
Tunnel Type Overhead Comparison
| Tunnel Type | Typical Overhead | Effective MTU | Notes |
|---|---|---|---|
| GRE only | 24 bytes | 1476 bytes | No encryption, trusted links only |
| IPSec ESP AES-128-GCM | 50–58 bytes | 1442–1450 bytes | Modern preferred, no padding |
| IPSec ESP AES-256-CBC + SHA2 | 62–74 bytes | 1426–1438 bytes | Most common site-to-site |
| GRE over IPSec AES-256-CBC | 76–88 bytes | 1412–1424 bytes | Standard DMVPN/FlexVPN |
| GRE over IPSec + NAT-T | 84–96 bytes | 1404–1416 bytes | Remote sites behind NAT |
AES-GCM vs AES-CBC for IPSec
AES-GCM (Galois/Counter Mode) is the modern preferred algorithm for IPSec. Compared to AES-CBC it eliminates separate HMAC authentication (saving 12 to 24 bytes), has no block-alignment padding (saving 0 to 15 bytes), and uses an 8-byte IV instead of 16 bytes (saving 8 bytes). Total savings of 20 to 47 bytes per packet over AES-256-CBC with HMAC-SHA2-256. AES-GCM also performs significantly faster on hardware with AES-NI support.
MTU Configuration for IPSec Tunnels
The most common VPN problem is misconfigured MTU. Symptoms include: large web pages loading slowly over VPN while small pages work, ICMP pings succeeding but HTTPS connections failing, and SCP/FTP working but SSH sessions hanging. The root cause is almost always IP fragmentation due to MTU mismatch.
- Set tunnel interface
ip mtuto physical MTU minus overhead - Set
ip tcp adjust-mssto tunnel MTU minus 40 bytes (IP + TCP headers) - For GRE over IPSec with AES-256-CBC on 1500-byte links:
ip mtu 1420andip tcp adjust-mss 1380 - Enable Path MTU Discovery (PMTUD) but note some firewalls block ICMP Fragmentation Needed messages
💡 Cisco config example for GRE over IPSec:
Adjust the MTU value based on the calculator output for your specific cipher suite and interface MTU.
interface Tunnel0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.xAdjust the MTU value based on the calculator output for your specific cipher suite and interface MTU.
Frequently Asked Questions
IPSec ESP tunnel mode adds: new IP header 20B, ESP header 8B, IV 16B for AES-CBC or 8B for AES-GCM, AES-CBC padding 0 to 15B, ESP trailer 2B, and ICV 12 to 16B. Typical total: 62 to 74 bytes for AES-256-CBC with SHA2-256, or 50 to 58 bytes for AES-128-GCM. Use the calculator above for your exact combination.
GRE adds a new outer IP header 20 bytes plus the GRE header 4 bytes minimum, for a total of 24 bytes overhead. On a 1500-byte Ethernet interface the effective MTU becomes 1476 bytes. GRE without IPSec provides no encryption or authentication and should only be used on trusted private networks.
GRE adds 24 bytes, then IPSec ESP transport mode adds approximately 46 to 60 bytes. Total overhead: 70 to 84 bytes with AES-256-CBC, giving an effective MTU of approximately 1416 to 1430 bytes. Add 8 more bytes if NAT-T is active. This is the most common enterprise VPN configuration used in Cisco DMVPN and FlexVPN.
Effective MTU = physical interface MTU minus total tunnel overhead. For 1500-byte Ethernet: GRE only = 1476, IPSec ESP AES-256-CBC = 1426 to 1438, GRE over IPSec = 1412 to 1424. Configure the tunnel interface MTU to this value and set ip tcp adjust-mss to MTU minus 40 to prevent fragmentation.
AES-CBC requires plaintext to be padded to a multiple of 16 bytes. The ESP trailer 2 bytes plus the payload must align to 16. Padding is 0 to 15 bytes depending on packet size. AES-GCM uses counter mode which has no block-alignment requirement, eliminating all padding overhead and making MTU calculations simpler and packet sizes more consistent.
Tunnel mode encapsulates the entire original IP packet with a new outer IP header adding 20 bytes. Used for site-to-site VPNs where the IPSec peers are the gateways. Transport mode only adds the ESP header without a new IP header, saving 20 bytes. Transport mode is used in GRE over IPSec where the GRE already provides the outer IP header.
Yes, two ways: overhead bytes reduce effective throughput proportionally (80 bytes on 1500-byte packets = 5.1% reduction), and encryption processing adds CPU load on software implementations. Modern hardware with AES-NI acceleration handles encryption at line rate. On software-only IPSec such as Linux StrongSwan, CPU is often the bottleneck above 1 Gbps without hardware offload.
AH Authentication Header provides authentication and integrity only with no encryption, adding 24 bytes overhead. AH is rarely used because it cannot traverse NAT (AH signs the outer IP header which NAT modifies) and provides no confidentiality. ESP Encapsulating Security Payload provides encryption plus authentication and is the standard for all modern VPN deployments. ESP with NULL encryption provides auth-only protection that is NAT-compatible.
VoIP uses 60 to 200 byte packets, which suffer proportionally high overhead from IPSec. A 100-byte voice packet with 74 bytes overhead is 174 bytes total (74% overhead). This increases bandwidth consumption but not latency directly. The main VoIP concern over IPSec is jitter from encryption processing delays. Hardware crypto acceleration is essential for VoIP over high-call-density IPSec VPN gateways.
NAT Traversal NAT-T encapsulates IPSec ESP in UDP port 4500 when NAT is detected between peers. This adds 8 bytes of UDP header plus 4 bytes non-ESP marker per packet. NAT-T is automatically negotiated by IKEv2. It is essential for remote access VPN clients behind home NAT routers and is also commonly activated in site-to-site tunnels where one side is behind a PAT device.
Related Calculators
Popular Calculators
NAT/PAT Session Calculator
Networking
Stripe Fee Calculator
Finance
Pain & Suffering
Legal
TDEE Calculator
Health
Roofing Calculator
Construction
GPA Calculator
Education
Mortgage Refinance
Finance
CPM Calculator
Marketing
Markup Calculator
Finance
5g Lte Throughput Calculator
Networking
Nat Pat Session Calculator
Networking
Bgp As Path Calculator
Networking