Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
501502503504505506507508509510
4-324
Configuring a VPN on the HP TMS zl Module
GRE Tunnels
even configure the TMS zl module to exchange dynamic routing messages
through the GRE tunnel. To send routing messages (RIP and OSPF) through
a GRE tunnel, you must enable RIP or OSPF on the GRE tunnel.
Because GRE tunnels do not encrypt traffic, you should configure GRE over
IPsec for traffic that requires data integrity or data privacy. GRE over IPsec
can also tunnel both unicast and multicast traffic, so you might use a GRE
over IPsec connection in conjunction with a site-to-site IPsec VPN. The IPsec
VPN would carry most traffic, but the GRE over IPsec connection could carry
routing updates and other multicast traffic.
GRE Tunnel Keepalives
GRE tunnels are designed to be completely stateless, meaning neither tunnel
endpoint keeps any information about the state or availability of the other
tunnel endpoint. In other words, the tunnel interface on the local endpoints
does not go “down” when the other endpoint is unreachable.
A GRE tunnel normally comes “up” as soon as the following items were
configured:
The local tunnel endpoint has a route to the remote tunnel endpoint (that
is not through the tunnel itself).
The interface serving as the local tunnel endpoint is up.
In fact, a GRE tunnel will indicate that it is up before the other side of the
tunnel is configured. This means that the local tunnel endpoint routes packets
across the GRE tunnel even when the other endpoint is unreachable and the
packets are lost.
The TMS zl Module supports a GRE tunnel keepalive mechanism, which
enables each GRE tunnel endpoint to verify that the other tunnel endpoint is
reachable. If the remote endpoint does not respond to a certain number of
keepalives (the number being configurable per-tunnel), the module considers
the GRE tunnel to be down.
When the GRE tunnel is down, any static routes pointing out of the GRE tunnel
interface are removed from the routing table. In this way, the module avoids
sending packets across the GRE tunnel when the remote endpoint is unreach-
able. However, the module continues sending keepalives so that when the
remote tunnel endpoint again becomes reachable, the GRE tunnel will go
back up.