How to enable IPSec compression

Answered Question
Aug 21st, 2007
User Badges:

I put a basic IPSec configuration in place. From looking at the show crypt ipsec sa output below, compression is not being performed. Can you point me to a direction on how to make this IPSec tunnel encrypt traffic? Is that type of compression on IPSec something you normally use in production?



RouterB#show crypt ipsec sa


interface: FastEthernet0/0

Crypto map tag: test, local addr. 10.0.0.2


protected vrf:

local ident (addr/mask/prot/port): (150.49.59.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (150.64.52.0/255.255.252.0/0/0)

current_peer: 10.0.0.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

Correct Answer by Edison Ortiz about 9 years 9 months ago

You need to add 'comp-lzs' in the transform type.


http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html


And no, it's not commonly used in production anymore with everyone using fast WAN links.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Tue, 08/21/2007 - 19:20
User Badges:
  • Green, 3000 points or more

Marlon,


Encryption and compression are two different things. Moreover, compression isn't that common over IPSEC. I guess your concern is more about whether the data is being encrypted across the VPN tunnel. If that indeed your concern then yes from the IPSEC stats that you posted the data between networks 150.49.59.0/24 and 150.64.52.0/22 is being encrypted. This is indicated in the IPSEC SA stats that you had posted as packets encrypted/decrypted.


HTH


Sundar



news2010a Tue, 08/21/2007 - 20:08
User Badges:

In my case I needed to verify the compression as well since there is a known issue when using compression behind WAN optimization appliances and I wanted to double check that. You are right I misexplained the encryption;it is already happening OK.

Actions

This Discussion