Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
541542543544545546547548549550
7-23
Virtual Private Networks
IPsec Concepts
For example, suppose that the anti-replay window size is at the default, 32. If
the highest sequence number that the TMS zl Module has received is 120, the
module will accept any packet with a sequence number of 88 or greater.
If your VPN users complain of poor performance, you might increase the
window size. In particular, you might need to increase the size when the links
used by the VPN connection support QoS; low priority packets may arrive later
than typically expected.
Extended Sequence Number
By default, IPsec uses 32 bits for sequence numbers. Because sequence num-
bers cannot be reused, this limits an SA to 2
32
(4 million) packets. If your SA
has a relatively long lifetime and transmits a great deal of traffic, you might
want to enable extended sequence numbers (64 bits) to allow up to 2
64
(18
quintillion) packets.
Re-key on Sequence Number Overflow
As described in the previous section, an SA is limited to 2
32
or 2
64
packets
(depending on whether you enabled extended sequence numbers). You can
enable the TMS zl Module to automatically renegotiate the SA before it
reaches the last sequence number.
By default, this feature is enabled. You should typically leave it enabled.
Otherwise, if the SA runs out of sequence numbers, it becomes unavailable
until its lifetime expires and the endpoints renegotiate the tunnel.
Persistent Tunnel
An IPsec SA configured as a persistent tunnel always remains open. It is
renewed even if it remains inactive longer than the lifetime. You might enable
a persistent tunnel for a site-to-site VPN connection that is used intermittently.
Fragmentation Before IPsec
When you enable this feature, the TMS zl Module detects whether packets will
require fragmentation. It even takes into account the extra bytes that will be
added by IPsec headers. If fragmentation is necessary, the module fragments
the packets first and then encrypts the fragments. Fragmenting the packets
before encryption helps the remote tunnel endpoint process and decrypt the
packets more quickly.