08-21-2007 11:51 AM - edited 03-03-2019 06:24 PM
I put a basic IPSec configuration in place. From looking at the show crypt ipsec sa output below, compression is not being performed. Can you point me to a direction on how to make this IPSec tunnel encrypt traffic? Is that type of compression on IPSec something you normally use in production?
RouterB#show crypt ipsec sa
interface: FastEthernet0/0
Crypto map tag: test, local addr. 10.0.0.2
protected vrf:
local ident (addr/mask/prot/port): (150.49.59.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (150.64.52.0/255.255.252.0/0/0)
current_peer: 10.0.0.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Solved! Go to Solution.
08-21-2007 06:24 PM
You need to add 'comp-lzs' in the transform type.
http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html
And no, it's not commonly used in production anymore with everyone using fast WAN links.
08-21-2007 06:24 PM
You need to add 'comp-lzs' in the transform type.
http://www.cisco.com/en/US/docsios/12_1/security/configuration/guide/scdipsec.html
And no, it's not commonly used in production anymore with everyone using fast WAN links.
08-21-2007 07:20 PM
Marlon,
Encryption and compression are two different things. Moreover, compression isn't that common over IPSEC. I guess your concern is more about whether the data is being encrypted across the VPN tunnel. If that indeed your concern then yes from the IPSEC stats that you posted the data between networks 150.49.59.0/24 and 150.64.52.0/22 is being encrypted. This is indicated in the IPSEC SA stats that you had posted as packets encrypted/decrypted.
HTH
Sundar
08-21-2007 08:08 PM
In my case I needed to verify the compression as well since there is a known issue when using compression behind WAN optimization appliances and I wanted to double check that. You are right I misexplained the encryption;it is already happening OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide