cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5895
Views
15
Helpful
3
Replies

How to enable IPSec compression

news2010a
Level 3
Level 3

I put a basic IPSec configuration in place. From looking at the show crypt ipsec sa output below, compression is not being performed. Can you point me to a direction on how to make this IPSec tunnel encrypt traffic? Is that type of compression on IPSec something you normally use in production?

RouterB#show crypt ipsec sa

interface: FastEthernet0/0

Crypto map tag: test, local addr. 10.0.0.2

protected vrf:

local ident (addr/mask/prot/port): (150.49.59.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (150.64.52.0/255.255.252.0/0/0)

current_peer: 10.0.0.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

1 Accepted Solution

Accepted Solutions

Edison Ortiz
Hall of Fame
Hall of Fame

You need to add 'comp-lzs' in the transform type.

http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html

And no, it's not commonly used in production anymore with everyone using fast WAN links.

View solution in original post

3 Replies 3

Edison Ortiz
Hall of Fame
Hall of Fame

You need to add 'comp-lzs' in the transform type.

http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html

And no, it's not commonly used in production anymore with everyone using fast WAN links.

Marlon,

Encryption and compression are two different things. Moreover, compression isn't that common over IPSEC. I guess your concern is more about whether the data is being encrypted across the VPN tunnel. If that indeed your concern then yes from the IPSEC stats that you posted the data between networks 150.49.59.0/24 and 150.64.52.0/22 is being encrypted. This is indicated in the IPSEC SA stats that you had posted as packets encrypted/decrypted.

HTH

Sundar

In my case I needed to verify the compression as well since there is a known issue when using compression behind WAN optimization appliances and I wanted to double check that. You are right I misexplained the encryption;it is already happening OK.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco