TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

461

462

463

464

465

466

467

468

469

470

7-18

Virtual Private Networks

IPsec VPNs

Re-key on Sequence Number Overflow. As described in the previous sec-

tion, an SA is limited to 2

or 2

packets (depending on whether you enabled

extended sequence numbers). You can enable the TMS zl Module to automat-

ically renegotiate the SA before it reaches the last sequence number.

By default, this feature is enabled. You should typically leave it enabled.

Otherwise, if the SA runs out of sequence numbers, it becomes unavailable

until its lifetime expires.

Persistent Tunnel. An IPsec SA configured as a persistent tunnel always

remains open. It is renewed even if it remains inactive longer than the lifetime.

You might enable a persistent tunnel for a site-to-site VPN connection.

Fragmentation Before IPsec. When you enable this feature, the TMS zl

Module detects whether packets will require fragmentation. It even takes into

account the extra bytes that will be added by IPsec headers. If fragmentation

is necessary, the module fragments the packets first and then encrypts the

fragments. Fragmenting the packets before encryption helps the remote

tunnel endpoint process and decrypt the packets more quickly.

The Copying of Values from the Original IP Header. In tunnel mode, a

delivery IP header encapsulates the original IP header. However, the original

header might contain information that is important for handling the packet

such as:

■ A Differential Services Code Point (DSCP) value, which marks the packet

for a particular QoS

■ A Don’t Fragment (DF) bit, which specifies whether the packet can be

fragmented

The TMS zl Module can copy the DSCP value and DF bit from the original IP

header to the delivery header. In this way, it ensures the correct handling for

the packet.

Certificates

You can configure IKE to use certificates for authentication during phase 1.

Certificates tend to be more secure than preshared keys because they can be

unique for each user and are less easily leaked.

A certificate itself includes (among other information):

■ A subject name, which identifies the endpoint

■ The host’s public key

■ The certificate authority’s (CA’s) signature