[x]

IKEv2 commands > ikev2 cookie-challenge

 

 Next

ikev2 cookie-challenge

Use ikev2 cookie-challenge to enable the cookie challenging feature.

Use undo ikev2 cookie-challenge to disable the cookie challenging feature.

Syntax

ikev2 cookie-challenge number

undo ikev2 cookie-challenge

Default

The cookie challenging feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 0 to 1000 half-open IKE SAs.

Usage guidelines

When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.

This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.

Examples

# Enable the cookie challenging feature and set the threshold to 450.

<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450

prev

 

up

 next

identity local 

home

 ikev2 dpd

© Copyright 2018 Hewlett Packard Enterprise Development LP