Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
521522523524525526527528529530
7-26
Virtual Private Networks
IPsec Concepts
The NAT-T feature on the TMS zl Module automatically detects one or more
NAT devices between IPsec hosts and negotiates the UDP encapsulation of
the IPsec packets through NAT.
The TMS zl Module implements NAT-T under any of the following circum-
stances:
The remote endpoint or endpoints are behind one or more NAT devices.
TMS zl Module is behind a NAT device.
Both are behind a NAT device.
The TMS zl Module implements NAT-T in this way:
IKE packets are accepted from any port and responses are sent to the port
from which the packet came.
NAT-T negotiation is performed in accordance with RFC 4306.
UDP encapsulation of ESP packets and NAT keep-alives are supported in
accordance with RFC 3948.
Maximum Segment Size (MSS) for TCP Connections
As you learned, an IPsec header is added to packets sent over an IPsec VPN.
The IPsec header increases the size of the total packet and may make the
packet larger than the maximum transmission unit (MTU) of a router that lies
between the module and the other side of the VPN tunnel. In that case, and if
the router does not allow fragmentation, the router will drop the frame,
interfering with communication across the tunnel.
To avoid this problem, you should configure the TMS zl Module to force a
smaller maximum segment size (MSS) for TCP connections associated with
traffic sent over the VPN. The correct size for the MSS depends on the smallest
MTU in the path used by the VPN tunnel as well as the size of the headers
added to the TCP data. The IPsec header size can be variable and, when you
use IPsec tunnel mode, a delivery IP header must be added as well. Therefore,
You might need to set the MSS as much as 144 bytes smaller than the MTU for
your system. You set the MSS on the Advanced tab of the firewall access policy
associated with traffic sent over the VPN.
For more information on the TCP MSS, see the introduction to “Firewall
Access Policies” on page 4-22 of Chapter 4: “Firewall.”