HP TMS zl Module Security Administrator's Guide
4-321
Configuring a VPN on the HP TMS zl Module
L2TP over IPsec VPNs
For access policies that permit the traffic sent over the VPN, you should
consider setting the TCP MSS to a value lower than the typical MSS used in
your system—particularly, when IPsec fragmentation is disabled. Otherwise,
the addition of the L2TP, IP delivery, and IPsec headers might make the
packets too large to be transmitted. Table 4-36 suggests a conservative value
for the TCP MSS when the MTU is 1500.
Note The value for TCP MSS in the table is only a suggestion. You should determine
the best setting for your environment.
Table 4-36 lists the necessary access policies; the numbers in the Source and
Destination columns refer to the example figure above.
Table 4-36. Checklist for Access Policies for an L2TP over IPsec VPN
When
Required
User Group From Zone To Zone Service Source Destination TCP
MSS
Number of
policies
Always None Remote SELF IKE
(isakmp)
3 or Any 1 — 1
Always None SELF Remote IKE
(isakmp)
1 3 or Any — 1
Always None Remote SELF L2TP
(l2tp-udp)
3 or Any 1 — 1
Always None SELF Remote L2TP
(l2tp-udp)
1 3 or Any — 1
Always L2TP user
groups (or None,
not
recommended)
EXTERNAL Local Any you
choose
4 2 1360 As many
as you
choose
Local
endpoints
initiate
sessions
with
remote
None (or local
user groups)
Local EXTERNAL Any you
choose
2 4 1360 As many
as you
choose
When
NAT-T is
used
None Remote SELF NAT-T
(ipsec-
nat-t-udp)
3 or Any 1
—
1
When
NAT-T is
used
None SELF Remote NAT-T
(ipsec-
nat-t-udp)
1 3 or Any
—
1