How to enable IPSec compression

Answered Question
Aug 21st, 2007

I put a basic IPSec configuration in place. From looking at the show crypt ipsec sa output below, compression is not being performed. Can you point me to a direction on how to make this IPSec tunnel encrypt traffic? Is that type of compression on IPSec something you normally use in production?

RouterB#show crypt ipsec sa

interface: FastEthernet0/0

Crypto map tag: test, local addr. 10.0.0.2

protected vrf:

local ident (addr/mask/prot/port): (150.49.59.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (150.64.52.0/255.255.252.0/0/0)

current_peer: 10.0.0.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 9 years 5 months ago

You need to add 'comp-lzs' in the transform type.

http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html

And no, it's not commonly used in production anymore with everyone using fast WAN links.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Tue, 08/21/2007 - 19:20

Marlon,

Encryption and compression are two different things. Moreover, compression isn't that common over IPSEC. I guess your concern is more about whether the data is being encrypted across the VPN tunnel. If that indeed your concern then yes from the IPSEC stats that you posted the data between networks 150.49.59.0/24 and 150.64.52.0/22 is being encrypted. This is indicated in the IPSEC SA stats that you had posted as packets encrypted/decrypted.

HTH

Sundar

news2010a Tue, 08/21/2007 - 20:08

In my case I needed to verify the compression as well since there is a known issue when using compression behind WAN optimization appliances and I wanted to double check that. You are right I misexplained the encryption;it is already happening OK.

Actions

This Discussion