IPsec VPN Compression Overview

Caveats of using encryption and compression together

• Higher-layer data encryption reduces the effectiveness of lower-layer data compression
• Higher-layer data encryption
  • IPsec VPN with ESP operates in layer 3
  • The IPsec VPN encryption happen first
  • The data become random and unrecognizable (hard to compress)
• Lower-layer data compression
  • PPP CCP operates in layer 2, STAC compression (on serial link)
  • To compress the size of the data, redundant data is replace with a token
  • If the data that being feed into compression process are random, compression is less effective

IPPCP and LZS

• IPcomp provides a framework for compressing IP packets in VPN with encryption environments
• IPPCP (IP Payload Compression Protocol)
  • Nonlossy compression protocol
  • Stateless compression protocol
  • Requires the negotiation of IPCA (IPComp Association) between compression peers,
  • Fully integrated with ISAKMP/IKE
• LZS (Lempel Ziv Stac)
  • Efficient compression algorithm for IPPCP
  • Packets will be compressed and then encrypted

LZS compression consideration

• LZS will not compress any packet below 128 bytes
• It’s not commonly used in production anymore
  • Most of enterprise is using fast WAN links
  • LZS is no longer supported on many Cisco newer platforms
  • Specific compression platform is used for compression (e.g. Cisco WAAS)
• If using specific compression platform, make sure the traffic is compressed first and then encrypted

Enable LZS compression on Cisco IOS

• Enable LZS compression on the IPsec Transform Set
  • #crypto ipsec transform-set (…) comp-lzs
• Verification
  • #show crypto ipsec sa
  • pkts encaps: 153557, #pkts encrypt: 153557, #pkts digest: 153557
  • pkts decaps: 135959, #pkts decrypt: 135959, #pkts verify: 135959
  • pkts compressed: 55197, #pkts decompressed: 50575
  • pkts not compressed: 94681, #pkts compr. failed: 3691
  • pkts not decompressed: 85384, #pkts decompress failed: 0
  • send errors 5, #recv errors 62