TMS zl Management and Configuration Guide ST.1.0.090213
7-17
Virtual Private Networks
IPsec VPNs
Table 7-2. Advanced IPsec Features
IP Compression. Various Data-Link Layer protocols compress packets to
decrease the amount of bandwidth that they require. IPsec packets cannot be
compressed because such compression would interfere with encryption and
with integrity checks. IP compression allows the TMS zl Module to compress
IP packets before encryption, which can help to increase network perfor-
mance.
Anti-Replay Window. The TMS zl Module checks the sequence number for
IPsec packets within an SA. It drops out-of-order packets to protect against
replay attacks (in which hackers snoop legitimate packets and resend them
for their own purposes). However, because packets might arrive slightly out
of order, the TMS zl Module accepts packets that arrive within the anti-replay
window.
For example, suppose that the anti-replay window size is at the default, 32. If
the highest sequence number that the TMS zl Module has received is 120, the
module will accept any packet with a sequence number of 88 or greater.
If your VPN users complain of poor quality, you might increase the window
size. In particular, you might need to increase the size when the VPN connec-
tion uses QoS; low priority packets may arrive later than typically expected.
Extended Sequence Number. By default, IPsec uses 32 bits for sequence
numbers. Because sequence numbers cannot be reused, this limits an SA to
2
32
(4 million) packets. If your SA has a relatively long lifetime and transmits
a great deal of traffic, you might want to enable extended sequence numbers
(64 bits) to allow up to 2
64
(18 quintillion) packets.
Feature Default Setting
IP compression Disabled
Anti-replay window Always enabled—default size, 32
Extended sequence number Disabled
Re-key on sequence number overflow Enabled
Persistent tunnel Disabled
Fragment before IPsec Enabled
Copy DSCP value from the clear packet Disabled
Copy DF bit from the clear packet Enabled