Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
201202203204205206207208209210
4-27
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
between the module and the other side of the VPN tunnel. In that case, and if
the router does not allow fragmentation, the router will drop the frame,
interfering with communication across the tunnel.
To avoid this problem, you should configure the TMS zl Module to force a
smaller maximum segment size (MSS) for TCP connections associated with
traffic sent over the VPN. The correct size for the MSS depends on the smallest
MTU in the path used by the VPN tunnel as well as the size of the headers
added to the TCP data. The IPsec header size can be variable and, when you
use IPsec tunnel mode, a delivery IP header must be added as well. Therefore,
You might need to set the MSS as much as 144 bytes smaller than the MTU for
your system. You set the MSS on the Advanced tab of the firewall access policy
associated with traffic sent over the VPN.
For more information about the TCP MSS, see Chapter 6: “Configuring the
TMS zl Module Firewall.”
Configure an IPsec Client-to-Site VPN
When using the TMS management capabilities in NIM, you have two options
for configuring client-to-site (or remote access) VPNs:
Deploy IPsec Remote-Access VPN wizard
Manage IPsec wizard
The Deploy IPsec Remote-Access VPN wizard guides you through the process
of configuring all the IPsec settings for the VPN. This wizard provides the
easiest and quickest setup.
The Manage IPsec wizard allows you to configure different components of the
VPN separately. You may want to use this wizard if you have experience
configuring VPNs or if you are familiar with the process of configuring VPNs
using the TMS zl Module Web browser interface. The Manage IPsec wizard
also allows you to configure multiple modules at once.
Whichever wizard you use, you must complete these tasks:
1. Optionally, create named objects, which you can use in for the VPN
policies as well as corresponding firewall access policies.
See “Create Named Objects for the VPN (Optional)” on page 4-28