Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to enable IPSec compression

I put a basic IPSec configuration in place. From looking at the show crypt ipsec sa output below, compression is not being performed. Can you point me to a direction on how to make this IPSec tunnel encrypt traffic? Is that type of compression on IPSec something you normally use in production?

RouterB#show crypt ipsec sa

interface: FastEthernet0/0

Crypto map tag: test, local addr. 10.0.0.2

protected vrf:

local ident (addr/mask/prot/port): (150.49.59.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (150.64.52.0/255.255.252.0/0/0)

current_peer: 10.0.0.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: How to enable IPSec compression

You need to add 'comp-lzs' in the transform type.

http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html

And no, it's not commonly used in production anymore with everyone using fast WAN links.

3 REPLIES
Hall of Fame Super Bronze

Re: How to enable IPSec compression

You need to add 'comp-lzs' in the transform type.

http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html

And no, it's not commonly used in production anymore with everyone using fast WAN links.

Re: How to enable IPSec compression

Marlon,

Encryption and compression are two different things. Moreover, compression isn't that common over IPSEC. I guess your concern is more about whether the data is being encrypted across the VPN tunnel. If that indeed your concern then yes from the IPSEC stats that you posted the data between networks 150.49.59.0/24 and 150.64.52.0/22 is being encrypted. This is indicated in the IPSEC SA stats that you had posted as packets encrypted/decrypted.

HTH

Sundar

New Member

Re: How to enable IPSec compression

In my case I needed to verify the compression as well since there is a known issue when using compression behind WAN optimization appliances and I wanted to double check that. You are right I misexplained the encryption;it is already happening OK.

3788
Views
0
Helpful
3
Replies