How to Improve Performance for IPSec Traffic

Printer Friendly Page


This document is intended to help improve performance for IPSec traffic. 



Traffic to be tunneled will generally add 36 bytes to the original size of the packet because of the ESP header.

One thing to keep in mind, depending on the encryption algorithm used, the ESP header may vary in size. 

Note: If the MTU on a device is hard set using this info (36 bytes) it is possible for the tunnel to fail and break any path MTU algorithm. Which is why we recommend the resolution below.



For example, if the original packet size is greater than 1464 bytes, the resulting tunneled packet ends up to be larger than 1500 bytes, causing slowness and sluggishness between IPSEC peers because if packet fragmentation.



Enabling the option "Adjust TCP MSS" to automatically adjust MSS on the interface terminating the tunnel will resolve that issue by adjusting the MTU to compensate for the extra encapsulation.


owner: kadak


Tags (6)

PANOS does not copy the DF bit from the clear-text (inner) IP header to encrypted (outer) IP header, does it ?

While the ESP header is 36 bytes, it's not safe to make the generalized statement that the traffic always gets 36 bytes.  Depending on the encryption algorithm used, this may not be true. 

Seems that the document should be modified to reflect that concept, otherwise, someone may use that information to hard set an MTU on a device using that tunnel and break any path MTU algorithm....

Thanks for the comments, as this information has been used to improve this article.

Just to verify:


"on the interface terminating the tunnel" means the outside "WAN" interface if you got physical outside "WAN" interface (aka crypto), physical inside "LAN" (aka cleartext) and virtual "TUNNEL.1" interface?


Also, is this only needed on the outside "WAN" interface and not on the other interfaces aswell?

@mikand, This option needs to be enabled on the interface that is going to be communicating with the VPN Peer. This is 95% of the time the External/WAN/Untrusted interface.

There are times in which you could use a DMZ interface or Internal/Trust interface to communicate to a VPN Peer, but not not normally.


I hope this makes sense.