631
undo ikev2 cookie-challenge
Default
The cookie challenging feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the threshold for triggering the cookie challenging feature. The value range for this
argument is 1 to 1000 half-open IKE SAs.
Usage guidelines
When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie
challenging mechanism. The responder generates a cookie and includes it in the response sent to
the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the
responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is
incorrect, the responder terminates the negotiation.
This feature can protect the responder against DoS attacks which aim to exhaust the responder's
system resources by using a large number of IKE_SA_INIT requests with forged source IP
addresses.
Examples
# Enable the cookie challenging feature and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450
ikev2 dpd
Use ikev2 dpd to configure global IKEv2 DPD.
Use undo ikev2 dpd to disable global IKEv2 DPD.
Syntax
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ikev2 dpd interval
Default
Global IKEv2 DPD is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5
seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and
has not received any IPsec packets from the peer for the specified interval.
To Next Page
Loading...
Need help?
General
