HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

241

242

243

244

245

246

247

248

249

250

4-65

Configuring a VPN on the HP TMS zl Module

Configure an IPsec Client-to-Site VPN

Tunnel mode allows remote endpoints to reach services behind the TMS

zl Module. In transport mode, the VPN only supports traffic originated by

the remote endpoint or by the TMS zl Module itself.

28. For IPsec Security Protocol/Encryption/Authentication Algorithm, select one

of the options.

The first part of each option is the security protocol, ESP or AH (AH does

not provide encryption.) The next part is the encryption algorithm. If you

select NULL, VPN traffic will not be encrypted. The final part of each

option is the authentication algorithm. These three settings must match

the settings on remote endpoints exactly.

29. Optionally, select the Enable PFS check box, which forces the remote

endpoints to generate new keys for the IPsec SA (instead of using the keys

generated during IKE). In the list that is displayed, select one of the

following:

• Group 1 (768)

• Group 2 (1024)

• Group 5 (1536)

The group determines the length of the prime number used during the

exchange. The larger the number, the more secure the key generated by

the exchange.

30. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400

(24 hours). Or type 0 if you do not want to specify a lifetime in seconds

(in this case, you must specify a lifetime in kilobytes).

This setting determines how long the IPsec SA remains open. When the

lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl

Module checks whether the SA has experienced any activity. If it has, the

module negotiates a new SA and then deletes the old SA. If the SA is

inactive, the module waits for the complete lifetime to expire. Then, if the

SA is still inactive, the module deletes the SA.

The default value is 28800 (8 hours).

31. For SA Lifetime in Kilobytes, type a value between 2560 and 4194304. Or

leave the default 0 if you do not want to specify a lifetime in kilobytes (in

this case, you must specify a lifetime in seconds).

This setting determines when an SA expires based on the amount of data

passed over it, rather than by time. (The more traffic sent over a connec-

tion, the better chance a hacker has at cracking a key.)