Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
541542543544545546547548549550
7-23
Virtual Private Networks
IPsec Concepts
The Copying of Values from the Original IP Header
In tunnel mode, a delivery IP header encapsulates the original IP header.
However, the original header might contain information that is important for
handling the packet such as:
A Differential Services Code Point (DSCP) value, which marks the packet
for a particular QoS
A Don’t Fragment (DF) bit, which specifies whether the packet can be
fragmented
The TMS zl Module can copy the DSCP value and DF bit from the original IP
header to the delivery header. In this way, it ensures the correct handling for
the packet.
The module can also set or clear the DF bit for all IPsec packets in an SA. For
example, you might want to ensure that IPsec packets are not fragmented.
In addition, instead of copying the DSCP value for each individual packet, the
TMS zl Module can set the same value for all the IPsec packets. For example,
you might want to set a relatively high value for a high-priority VPN connec-
tion.
Certificates
You can configure IKE to use certificates for authentication during phase 1.
Certificates tend to be more secure than preshared keys because they can be
unique for each user and are less easily leaked.
A certificate itself includes (among other information):
A subject name, which identifies the endpoint
The host’s public key
The certificate authority’s (CAs) signature
The VPN tunnel endpoints must trust the CAs that sign each other’s certifi-
cates.
The TMS zl Module supports X.509 certificates in Distinguished Encoding
Rules (DER) or Privacy Enhanced Mail (PEM) format. For the public/private
keypair, it supports DSA and RSA.
You can import certificates to the TMS zl Module manually, or you can obtain
them automatically using Simple Certificate Enrollment Protocol (SCEP).