Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
241242243244245246247248249250
4-66
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
The TMS zl Module checks an IPsec SA for inactivity when the SA has
transmitted and received 80 percent of the allowed bandwidth in kilo-
bytes. If the SA is active, the module renegotiates it, deleting the old SA
when the new one is established. The module deletes an inactive SA if it
is still inactive when the total lifetime in kilobytes is reached.
Note If you specify the SA lifetime both in seconds and in kilobytes, the SA is
evaluated when the first limit is reached.
32. Select the check boxes for the advanced features that you want to enable:
Enable IP compression
Enable extended sequence number
Enable re-key on sequence number overflow
This setting is enabled by default.
Enable persistent tunnel
Enable fragment before IPsec
This setting is enabled by default.
For information and guidelines on these settings, see “Advanced IPsec
Features” on page 4-21.
33. For Anti-Replay Window Size, type a value between 32 and 1024.
This setting determines how far out of order a packet can arrive and still
be accepted. See “Anti-Replay Window” on page 4-22 for more informa-
tion.
34. For DF Bit Handling, select one of these options:
Copy DF bit from clear packet
The TMS zl Module copies the don’t fragment (DF) bit setting for the
IPsec packet from the inner IP packet.
•Set DF bit
The module sets the DF bit for all IPsec packets.
Clear DF bit
The module clears the DF bit for all IPsec packets.
See “The Copying of Values from the Original IP Header” on page 4-23 for
more information.
35. Under DSCP Options, choose how the TMS zl Module assigns DSCP values
to IPsec packets. Either:
•Select Copy DSCP value from clear packet.