HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

501

502

503

504

505

506

507

508

509

510

4-326

Configuring a VPN on the HP TMS zl Module

GRE Tunnels

Floating Static Routes

Whenever you configure a GRE tunnel, you must configure routes to subnets

behind the remote tunnel endpoint; the forwarding interface for these routes

should be the tunnel interface. These routes can be static routes that you add

manually (including default routes), or you can configure a routing protocol

on the GRE tunnel to enable the module to discover dynamic routes.

Similarly, when you configure a redundant GRE tunnel, you must configure

routes to remote networks through the redundant tunnel interface as well.

However, to ensure that the primary tunnel is used whenever possible, you

should configure the routes that use the redundant tunnel as floating static

routes (or floating default routes), which have a higher administrative dis-

tance (or the same administrative distance and a higher metric) than a primary

static route or a higher administrative distance than a primary dynamic

route.

Maximum Segment Size (MSS) for TCP Connections

As you learned, a GRE header is added to packets sent over a GRE tunnel. The

GRE header increases the size of the total frame and may make the packet

larger than the maximum transmission unit (MTU) of a router that lies

between the module and the remote tunnel endpoint. In that case, and if the

router does not allow fragmentation, the router will drop the frame, interfering

with communication across the tunnel.

To avoid this problem, you should configure the TMS zl Module to negotiate

a smaller maximum segment size (MSS) for TCP connections associated with

traffic sent over the GRE tunnel. For example, the smallest MTU in the path

between the TMS zl Module and remote tunnel endpoint is 1500 bytes. The

GRE header and the delivery IP header add 24 bytes to packets in addition to

the 40 bytes added by standard TCP and IP headers. In this case, set the MSS

to 1436 bytes or smaller. (When you use GRE with IPsec, you must set the MSS

smaller still.) You set the MSS on the Advanced tab of the firewall access policy

associated with traffic sent over the GRE tunnel.

For more information on the TCP MSS, see Chapter 6: “Configuring the TMS

zl Module Firewall.”

Configure a GRE Tunnel

To configure a GRE tunnel, complete the following tasks:

1. Create named objects, which you can use in firewall access policies

related to the GRE tunnel. This step is optional.