HP TMS zl Module Security Administrator's Guide
4-393
Configuring a VPN on the HP TMS zl Module
GRE Tunnels
For access policies that permit the traffic sent over the tunnel, you should
consider setting the TCP MSS to a value lower than the typical MSS used in
your system. Otherwise, the addition of the GRE and IP delivery headers might
make the packets too large to be transmitted. Table 4-44 suggests a value for
the TCP MSS when the MTU is 1500. For more information on the TCP MSS,
see “Maximum Segment Size (MSS) for TCP Connections” on page 4-26
Note The value for TCP MSS in the table is only a suggestion. You should determine
the best setting for your environment.
Table 4-44. Checklist for Access Policies for a GRE over IPsec VPN (Manual
Keying)
When Required Ty pe From Zone To Zone Service Source Destination MSS Number of
policies
Always Unicast Remote SELF (47) GRE 3 1 — 1
Always Unicast SELF Remote (47) GRE 1 3 — 1
Always Unicast Local Tunnel Any that you
choose
2 4 1388 As many as
you choose
Always Unicast Tunnel Local Any that you
choose
4 2 1388 As many as
you choose
NAT-T is used Unicast Remote SELF NAT-T (ipsec-
nat-t-udp)
31 —1
NAT-T is used Unicast SELF Remote NAT-T (ipsec-
nat-t-udp)
12 —1
Tunnel must carry
multicasts
Multicast Local Tunnel Any that you
choose
2 Any Address
or multicast
address
1388 As many as
you choose
Tunnel must carry
multicasts
Multicast Tunnel Local Any that you
choose
4 Any Address
or multicast
address
1388 As many as
you choose
• Dynamic
routing over the
tunnel
• Default policies
disabled
Unicast Tunnel SELF OSPF or RIP 6 5 — 1
• Dynamic
routing over the
tunnel
• Default policies
disabled
Unicast SELF Tunnel OSPF or RIP 5 6 — 1