VPN tunnel size?

itdaddyitdaddy Senior MemberMember Posts: 2,088 ■■■■□□□□□□
Hi guys,

I have never gotten a good answer on this. But say you have a vpn router traversing your internet and the internet is 50/50 Mbps up and down. What percentage of bandwidth the vpn take up?

The reason I am asking this is we have a vpn that traverses over the INET router and people here can access INET over the same router. So if many people are doing massive amounts of updates the router gets saturated and overloaded. Which does affect the vpn tunnel size? how can I quantify the size of vpn compared to the bandwidth taken up on the 50 meg pipe?

People here at work always ask me what is being used on the vpn or how small does the vpn get when people are overloading the INET router? how can I quantify both of these. We have solarwinds and I can see how much traffic is flowing over the pipe but how does the VPN gre/ipec tunnel react to more or less bandwith available to it? You can use QOS for this ? correct? to allow a certain percentage of INET router.


  • Danielh22185Danielh22185 Member Posts: 1,195 ■■■■□□□□□□
    I'll try to take this apart.

    Firstly are you doing Hardware or Software level encryption? (show crypto engine). What kind of router is this?

    I am not sure what you mean by the "size" of the vpn but it should follow a pretty standard MTU size. If the datagram is too large it will need to be fragmented and sent as an additional TCP stream. You will have limitations especially when considering an IPSEC overhead to account for the additional encapsulations required.

    QoS might help a bit if you are pushing tons of IPSEC traffic and need to dedicate router resources better.

    Although sounds to me you have a big enough pipe yet the router cannot handle the IPSEC traffic fast enough. Curious... why people would be sending massive amounts of data over an IPSEC VPN anyway. Most times an IPSEC VPN is not to be considered a primary means of connection due to the overhead required on the datagram itself AND of course the network equipment.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    my bad Daniel,

    vpn tunnel gre/ipsec share the same vpn pipe/link as the INET people. so you have INET users and vpn tunnel over the same out connections?

    imaging vpn router wan into a dmz switch (public IP zone) and the INET Palo Alto firwall pulic wan going into same dmz switch public ip zone/vlan and then out to a edge router to the internet(inet). they both share the pipe. is it just like FIFO kind of thing and if no QOS is used say for ESP traffic then it is like any default traffic it just gets crushed? if over subscribed by INET traffic?
  • Welly_59Welly_59 Member Posts: 431
    Exactly. They share the same pipe. As far as the router/switch is concerned its just data being pumped out of its egress port
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    so do you think this will work on a spoke vpn router where the termination point is an dthen on the edge internet router i can put the qos service policy allowing 10 meg both directions for esp traffic source destination match-all policy? that way the ipsec never has to fight for in and out of edge internet router because both ends of the router it is wide open.? when we have high internet usage the tunnel is affected the programmers said so my idea was to do qos on both up and down or in and out of the edge router since i feel that is the default router for all devices to go to internet and i have control over that right before the isp switch vlan. i am not tagging i am only making an express lane so to speak for esp traffic up and down our in and out of that internet edge router. do you think this will increase perfomance of the esp traffic? and reduce latency I feel it will but wanted you guys opinion? thanks

    ====below my idea===
    [h=2]QOS bandwidth command for IPSEC esp traffic on transit routers?[/h]
    Hi guys,
    I need you advice. I think I have seen this before and used it but below is an article on alotting band width on the termination end point for the vpn. Say you have an edge internet router that all traffic at your company goes through but of course it is using FIFO and no QOS on the edge internet router. This router is the default route for email, vpn esp traffic, internet for company, public servers and i wanted to put down QOS to guarantee 10 meg or 20 % on that edge router because I feel ipsec is being crushed
    due to we are using gre/ipsec and I see the tunnel flapping alot and programmers say lots of latency on their access to their production servers thru or accross vpn ipsec tunnel. and I thing the choking point is on the edge router using FIFO and whene people here at our company do company wide updates on their machine, it seems to joke or create a lot of latency on the production vpn tunnel. So my idea was to create a service policy and place it on the edge router that is the gateway to the interent. then the fiber
    switch which i know is wide open. I ask charter for a month analysis util diagram and i do not see a lot of use taking up the pipe but i do see lots of spiking and bursty traffic and i think ipsec is fighting to get in there. so if i create and ipsec service QOS policy on both up and down interfaces applied outward guaranteed for esp source destination both ways 20 % of 50 meg line which is 10 meg for sure which is not dedicated logically. I do not fee they willl have any latency issues.

    My question is can you on the transit router and not the termination point of the ipsec do a qos policy and will it be honored.
    My first thought is yes but wanted your advice?
    makes sense to me that the ipsec is fighting with email, internet, public server traffic due to the bursty and constant competing for link speed, If I were to alot 10 meg up and down for esp traffic source destination it will leave it wide open for ipsec traffic and thus be a logical dedication what do you think will it work or does the service policy neeed to decrypt and encrypt before is sees it?

    Configuring QoS for Encrypted Traffic with IPsec* [Cisco IOS IPsec] - Cisco Systems
Sign In or Register to comment.