Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
201202203204205206207208209210
4-24
Configuring a VPN on the HP TMS zl Module
IPsec VPNs
The TMS zl Module can copy the DSCP value and DF bit from the original IP
header to the delivery header. In this way, it ensures the correct handling for
the packet.
The module can also set or clear the DF bit for all IPsec packets in an SA. For
example, you might want to ensure that IPsec packets are not fragmented.
In addition, instead of copying the DSCP value for each individual packet, the
TMS zl Module can set the same value for all the IPsec packets. For example,
you might want to set a relatively high value for a high-priority VPN connec-
tion.
Certificates
You can configure IKE to use certificates for authentication during phase 1.
Certificates tend to be more secure than preshared keys because they can be
unique for each user and are less easily leaked.
A certificate itself includes (among other information):
A subject name, which identifies the endpoint
The host’s public key
The certificate authority’s (CAs) signature
The VPN tunnel endpoints must trust the CAs that sign each other’s certifi-
cates.
The TMS zl Module supports X.509 certificates in Distinguished Encoding
Rules (DER) or Privacy Enhanced Mail (PEM) format. For the public/private
keypair, it supports DSA and RSA.
You can import certificates to the TMS zl Module manually, or you can obtain
them automatically using Simple Certificate Enrollment Protocol (SCEP).
NAT Traversal
VPN users may be behind a device that performs NAT on packets that are
destined for the other end of the VPN tunnel. If NAT is performed on packets
before they are encrypted, then the packets pass over the VPN connection
without difficulty.