Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
191192193194195196197198199200
4-22
Configuring a VPN on the HP TMS zl Module
IPsec VPNs
Fragmentation before IPsec
The copying of values from the original IP header
The section below describes these features. Table 4-2 indicates which features
are enabled by default and other default settings.
Table 4-2. Advanced IPsec Features
IP Compression
Various Data-Link Layer protocols compress packets to decrease the amount
of bandwidth that they require. IPsec packets cannot be compressed because
such compression would interfere with encryption and with integrity checks.
IP compression allows the TMS zl Module to compress IP packets before
encryption, which can help to increase network performance.
Anti-Replay Window
The TMS zl Module checks the sequence number for IPsec packets within an
SA. It drops out-of-order packets to protect against replay attacks (in which
hackers snoop legitimate packets and resend them for their own purposes).
However, because packets might arrive slightly out of order, the TMS zl
Module accepts packets that arrive within the anti-replay window.
For example, suppose that the anti-replay window size is at the default, 32. If
the highest sequence number that the TMS zl Module has received is 120, the
module will accept any packet with a sequence number of 88 or greater.
If your VPN users complain of poor performance, you might increase the
window size. In particular, you might need to increase the size when the links
used by the VPN connection support QoS; low priority packets may arrive later
than typically expected.
Feature Default Setting
IP compression Disabled
Anti-replay window Always enabled—default size, 32
Extended sequence number Disabled
Re-key on sequence number overflow Enabled
Persistent tunnel Disabled
Fragment before IPsec Enabled
Copy, set, or clear the DF bit Copy
Copy or set the DSCP Set to 0