IPsec overheads
The FortiGate sets an IPsec tunnel Maximum Transmission Unit (MTU) of 1436 for 3DES/SHA1 and an MTU of 1412 for AES128/SHA1, as seen with 'diag vpn tunnel list'. This indicates that the FortiGate allocates 64 bytes of overhead for 3DES/SHA1 and 88 bytes for AES128/SHA1, which is the difference if you subtract this MTU from a typical ethernet MTU of 1500 bytes.
During the encryption process, AES/DES operates using a specific size of data which is block size. If data is smaller than that, it will be padded for the operation. MD5/SHA-1 HMAC also operates using a specific block size.
The following table describes the potential maximum overhead for each IPsec encryption:
IPsec Transform Set | IPsec Overhead (Maximum Bytes) |
ESP-AES (256, 192, or 128), ESP-SHA-HMAC, or MD5 | 73 |
ESP-AES (256, 192, or 128) | 61 |
ESP-3DES, ESP-DES | 45 |
ESP-(DES or 3DES), ESP-SHA-HMAC, or MD5 | 57 |
ESP-Null, ESP-SHA-HMAC, or MD5 | 45 |
AH-SHA-HMAC or MD5 | 44 |