HP TMS zl Module Security Administrator's Guide
4-285
Configuring a VPN on the HP TMS zl Module
L2TP over IPsec VPNs
14. If desired, configure settings in the Advanced Settings (Optional) section.
a. Select the check boxes for the advanced features that you want to
enable:
– Enable re-key on sequence number overflow
This setting is enabled by default.
– Enable persistent tunnel
– Enable fragment before IPsec
This setting is enabled by default.
For information and guidelines on these settings, see “Advanced
IPsec Features” on page 4-21.
b. Leave these check boxes clear; these settings are not supported by a
default Windows L2TP over IPsec client:
– Enable IP compression
– Enable extended sequence number
c. For Anti-Replay Window Size, type a value between 32 and 1024.
This setting determines how far out of order a packet can arrive and
still be accepted. See “Anti-Replay Window” on page 4-22 for more
information.
d. For DF Bit Handling, select one of these options:
– Copy DF bit from clear packet
The TMS zl Module copies the don’t fragment (DF) bit setting for
the IPsec packet from the inner IP packet.
– Set DF bit
The module sets the DF bit for all IPsec packets.
– Clear DF bit
The module clears the DF bit for all IPsec packets.
See “The Copying of Values from the Original IP Header” on page 4-23
for more information.
e. Under DSCP Options, choose how the TMS zl Module assigns DSCP
values to IPsec packets. Either:
– Select Copy DSCP value from clear packet.
The TMS zl Module assigns each IPsec packet the DSCP value
assigned to the original IP packet.
– Select Set DSCP value and type a value between 0 and 63 in the box.
The TMS zl Module assigns every IPsec packet in this SA the
DSCP that you configure. 0 is the default value and requests
normal handling for the packet.
See “The Copying of Values from the Original IP Header” on page 4-23
for more information.