TMS zl Management and Configuration Guide ST.1.2.100916
A-139
Command-Line Reference
IPsec Policy Context
Table A-40. Advanced IPsec Policy Options
apply
Once you have configured all parts of the IPsec policy, you must apply the
policy. The apply command verifies that all required settings are configured
and then adds or edits the IPsec policy. (If the requirements are not met, the
command does not take effect, and an error message indicates which settings
are missing.) Enter the following command:
Syntax: apply
iras
To enable (or disable) IRAS (the assignment of IP settings to clients through
IKE Mode Config), enter the following command from the IPsec policy con-
text:
Syntax: [no] iras enable
Extended Command Option Purpose Default setting
ip-compression enable Enables the TMS zl Module to compress IP
packets before encryption, which can help
to increase network performance.
Disabled
extended-seq-num enable Enables 64 bit sequence numbers to allow
up to 2
64
(18 quintillion) packets per SA.
Disabled
rekey-seq-number-overf enable Enables the TMS zl Module to automatically
renegotiate the SA before it reaches the last
sequence number.
Enabled
persistent-tunnel enable Enables a tunnel to always remain open,
even if it remains inactive longer than the
lifetime
Disabled
fragment-before-ipsec enable Enables the TMS zl Module to fragment
packets before encryption, helping the
remote tunnel endpoint process and
decrypt the packets more quickly
Enabled
anti-replay-win-size <size> TMS zl Module accepts packets with out-of-
order sequence numbers within the range
specified by the anti-replay window (32–
1024, must be a multiple of 32).
Default size, 32
copy-dscp [enable | disable <dscp
value>] df-bit-handling < copy | set |
clear >
Specifies how the TMS zl Module handles
the DSCP value and the DF bit.
When you select disable for copy-dscp, you
must set the DSCP value for the packet (0–
63).
• Copying the DSCP value is
disabled and set the value
is set to 0
• Copying the DF bit is
enabled