TMS zl Management and Configuration Guide ST.1.1.100430
4-25
Firewall
Firewall Access Policies
the standard 40 bytes for TCP and IP headers minus another 24 bytes for
the GRE and IP delivery headers). If the path between your module and
the connection’s destination includes a device with a smaller MTU, adjust
the recommendations accordingly. For example, your smallest MTU is
1400, so you set the MSS for traffic sent over a GRE tunnel to 1336.
Table 4-3. Defining the TCP MSS
Note For the IPsec VPNs, the overhead added to the packet depends on several
variables, including the tunnel mode and the type of security algorithms that
are used.
The table includes the typical mode used with a particular type of VPN. IPsec
client-to-site and site-to-site VPNs usually run in tunnel mode; L2TP over IPsec
and GRE over IPsec VPNs typically use transport mode. You can use tunnel
mode for GRE over IPsec; however, this adds to the overhead unnecessarily.
(You would need to decrease the MSS by 56 bytes.)
This table uses a conservative estimate of 48 bytes of overhead for transport
mode IPsec and 104 bytes of overhead for tunnel mode IPsec. All of these
recommendations are only guidelines. You should determine the correct MSS
for your environment.
Default Access Policies
Some access policies are preconfigured on the factory default TMS zl Module.
These general policies allow basic network operation, such as allowing rout-
ing protocols between all zones.
Management-Access Zone Access Policies
When you specify a zone as a management-access zone, the following unicast
policies are automatically created. (See “Configure Management Access Set-
tings” in Chapter 2: “Initial Setup in Routing Mode.”)
Traffic selected by this policy is sent over Maximum Recommended MSS
A GRE tunnel 1436
A GRE over IPsec VPN (transport mode) 1388
An IPsec client-to-site VPN (tunnel mode)
*only necessary when local devices initiate
connections with remote clients
1356
An IPsec site-to-site VPN (tunnel mode) 1356
An L2TP over IPsec VPN (transport mode) 1360