Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
201202203204205206207208209210
4-23
Configuring a VPN on the HP TMS zl Module
IPsec VPNs
Extended Sequence Number
By default, IPsec uses 32 bits for sequence numbers. Because sequence num-
bers cannot be reused, this limits an SA to 2
32
(4 million) packets. If your SA
has a relatively long lifetime and transmits a great deal of traffic, you might
want to enable extended sequence numbers (64 bits) to allow up to 2
64
(18
quintillion) packets.
Re-key on Sequence Number Overflow
As described in the previous section, an SA is limited to 2
32
or 2
64
packets
(depending on whether you enabled extended sequence numbers). You can
enable the TMS zl Module to automatically renegotiate the SA before it
reaches the last sequence number.
By default, this feature is enabled. You should typically leave it enabled.
Otherwise, if the SA runs out of sequence numbers, it becomes unavailable
until its lifetime expires and the endpoints renegotiate the tunnel.
Persistent Tunnel
An IPsec SA configured as a persistent tunnel always remains open. It is
renewed even if it remains inactive longer than the lifetime. You might enable
a persistent tunnel for a site-to-site VPN connection that is used intermittently.
Fragmentation Before IPsec
When you enable this feature, the TMS zl Module detects whether packets will
require fragmentation. It even takes into account the extra bytes that will be
added by IPsec headers. If fragmentation is necessary, the module fragments
the packets first and then encrypts the fragments. Fragmenting the packets
before encryption helps the remote tunnel endpoint process and decrypt the
packets more quickly.
The Copying of Values from the Original IP Header
In tunnel mode, a delivery IP header encapsulates the original IP header.
However, the original header might contain information that is important for
handling the packet such as:
A Differential Services Code Point (DSCP) value, which marks the packet
for a particular QoS
A Don’t Fragment (DF) bit, which specifies whether the packet can be
fragmented