The Threat Management Services (TMS) zl Module supports these advanced settings, shown in the table below.
IP CompressionIPsec packets cannot be compressed, because the compression would interfere with encryption and with integrity checks. IP compression allows the TMS zl Module to compress IP packets before encryption, which can help to increase network performance. Anti-Replay WindowThe TMS zl Module checks the sequence number for IPsec packets within an SA Security Association. It drops out-of-order or duplicate packets to protect against replay attacks (in which attackers intercept legitimate packets and resend them for their own purposes). However, because packets might arrive slightly out of order, the TMS zl Module accepts packets that have sequence numbers within the anti-replay window. For example, if the anti-replay window size is at the default, 32, and the highest sequence number that the TMS zl Module has received is 120, the module will reject any packet with a sequence number between 88 (120 minus 32) and 120 as a duplicate. If your VPN users complain of poor quality, you might increase the window size. In particular, you might need to increase the size when the VPN connection supports QoS, because low-priority packets may arrive later than typically expected. Extended Sequence NumberBy default, IPsec uses 32-bit sequence numbers. Because sequence numbers cannot be reused in the same SA, this limits an SA to 232 packets. If your SA has a relatively long lifetime and transmits a great deal of traffic, you might want to enable extended sequence numbers (64 bit), which allow up to 264 packets. Re-key on Sequence Number OverflowAs described in the previous section, an SA is limited to 232 or 264 packets (depending on whether you enabled extended sequence numbers). You can also enable the TMS zl Module to automatically renegotiate the SA before it reaches the last sequence number. By default, this feature is enabled, and you should typically leave it enabled; otherwise, if the SA runs out of sequence numbers, it becomes unavailable until its lifetime expires and the endpoints renegotiate the SA. Persistent TunnelAn IPsec SA that is configured as a persistent tunnel always remains open. It is renewed even if it remains inactive longer than the specified lifetime. You would enable a persistent tunnel for a site-to-site VPN connection, for example, when the tunnel may be used intermittently. Fragmentation Before IPsecWhen you enable this feature, the TMS zl Module detects whether packets will require fragmentation before encryption, taking into account the extra bytes that will be added by the IPsec headers. If fragmentation is necessary, the module fragments the packets first and then encrypts the fragments. Fragmenting the packets before encryption helps the remote tunnel endpoint process and decrypt the packets more quickly. Copying Values from the Original IP HeaderIn tunnel mode, a delivery IP header encapsulates the original IP header, which might contain information that is important for handling the packet. Such information includes:
The TMS zl Module can copy the DSCP value and DF bit from the original IP header to the delivery header, which ensures correct handling for the packet.
|