ikev2 cookie-challenge

Use ikev2 cookie-challenge to enable the cookie challenging feature.

Use undo ikev2 cookie-challenge to disable the cookie challenging feature.


ikev2 cookie-challenge number

undo ikev2 cookie-challenge


The cookie challenging feature is disabled.


System view

Predefined user roles




number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 0 to 1000 half-open IKE SAs.

Usage guidelines

When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.

This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.


# Enable the cookie challenging feature and set the threshold to 450.

<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450