Configure Your IPsec Scenario
Use tunnel variables, framing layers, and protocol details to estimate overhead, MTU, MSS, and fragmentation behavior.
Example Data Table
Use these sample scenarios to compare how encapsulation choices change tunnel overhead, MTU headroom, and TCP MSS planning.
| Scenario | Path MTU | Profile | Mode | Extras | Total Overhead | Effective MTU | TCP MSS |
|---|---|---|---|---|---|---|---|
| Branch VPN over broadband | 1500 | ESP AES-GCM-128 | Tunnel | NAT-T + PPPoE | 72 | 1428 | 1376 |
| Data center interconnect | 1500 | ESP AES-CBC + SHA2 | Tunnel | Single VLAN | 80 | 1420 | 1368 |
| Transport mode server link | 1500 | ESP ChaCha20-Poly1305 | Transport | No extra framing | 40 | 1460 | 1408 |
Formula Used
The calculator models IPsec expansion as a sum of protocol headers, authentication tags, encapsulation layers, and padding. Tunnel mode adds a new outer IP header, while transport mode keeps the original packet header and only applies security overhead.
Overhead Equation
Total Overhead = Outer IP + Security Header + IV or Nonce + Padding + Trailer + ICV or Tag + NAT-T + PPPoE + GRE + VLAN + MPLS + Custom Extra
Padding is computed from the selected alignment and the payload estimate. AH profiles skip encryption padding and ESP trailer bytes.
MTU and MSS Equations
Effective MTU = Path MTU - Total Overhead
TCP MSS = Effective MTU - Inner IP Header - TCP Header - TCP Options
A safety margin can then be subtracted to create conservative MTU and MSS values for real deployments.
How to Use This Calculator
- Enter the path MTU provided by your WAN, VPN underlay, or measured path discovery results.
- Choose the inner IP version and decide whether your deployment uses tunnel mode or transport mode.
- Select the IPsec security profile that best matches your firewall, router, or VPN gateway configuration.
- Turn on extras such as NAT-T, PPPoE, GRE, VLAN tags, or MPLS labels when those layers exist on the path.
- Provide a realistic payload estimate so the calculator can compute ESP padding more accurately.
- Set TCP options bytes and a safety margin if you want a more conservative MSS clamp for production use.
- Press the calculate button to view overhead breakdown, effective MTU, recommended MSS, and fragmentation risk above the form.
Frequently Asked Questions
1. Why does IPsec reduce usable MTU?
IPsec adds security headers, trailers, authentication data, and sometimes a new outer IP header. Those bytes consume space inside the path MTU, leaving less room for the original packet.
2. What is the difference between tunnel and transport mode?
Tunnel mode wraps the original packet inside a new outer IP header, so overhead is higher. Transport mode secures the payload of the original IP packet without creating a second IP header.
3. Why does NAT-T change MTU calculations?
NAT traversal encapsulates IPsec traffic inside UDP, adding another 8 bytes. That small increase can still matter when you are tuning MSS clamps or working near strict MTU limits.
4. Why is padding different across encryption profiles?
Block ciphers align encrypted data to block boundaries, so padding depends on block size and payload length. AEAD profiles often use smaller alignment requirements, which usually lowers variable overhead.
5. Should I always use the calculated MSS directly?
Usually you should subtract a small safety margin before setting a production MSS clamp. Real paths may include unseen framing, mixed traffic patterns, or device-specific behavior not captured in a simple model.
6. Does this calculator account for every vendor implementation?
No. It provides a practical planning model using common IPsec overhead patterns. Vendor platforms can differ in nonce size, alignment, extra headers, or hidden framing, so validate with live packet captures when possible.
7. When should I use the custom profile?
Use it when your firewall, router, or cloud VPN service publishes overhead values that differ from the standard presets. It is also useful for testing proprietary encapsulation or unusual integrity lengths.
8. Why include VLAN, MPLS, GRE, or PPPoE in an MTU tool?
These layers can exist below or alongside IPsec on the same path. Ignoring them can produce optimistic MTU values, which leads to fragmentation, black holing, or unnecessary retransmissions.