Good morning, I have a question about the overheads of VTI vs L2L IPSEC vs GRE
after watching Brian M's VTI video on the CCIE security advanced tecnologies class - I decided to test the same in my own lab, with L2L also. This is because I need to present a business case for ripping out our million L2L's and senior management were against GRE/IPsec because of overhead, and Ive started sneaking in VTI's where I can. Brian used a transit router representing the internet, and disabled fast switching cef etc so we can see transit packets, and compated gre to vti. I am interested in L2L vs VTI.
I captured this the same way on the router with debug ip packet detail, also getting the overhead sizes for policy based VPN's. Ignore GRE over IPsec (as obviously its an extra 24 - and this matches up perfectly) - What I was suprised at was that the VTI on router vs L2L on an ASA was the same size. I tested again doing VTI vs L2L, both on routers this time and got the same result. I then captured the packets in wireshark to take a look.
Im getting my encapsulated 100 byte ping at 166 bytes for L2L, and 166 bytes for VTI.
20 IP
14 Ethernet
32 ESP
=66 overhead for both VTI and L2L, either on ASA or a router
I thought the VTi would at least be 8 bytes larger, to store the extra source and destination address of the tunnel interfaces, which obviously are not present on the L2L tunnel ?
