98
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the threshold for triggering the cookie challenging feature. The value range for this
argument is 0 to 1000 half-open IKE SAs.
Usage guidelines
When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie
challenging mechanism. The responder generates a cookie and includes it in the response sent to
the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the
responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is
incorrect, the responder terminates the negotiation.
This feature can protect the responder against DoS attacks which aim to exhaust the responder's
system resources by using a large number of IKE_SA_INIT requests with forged source IP
addresses.
Examples
# Enable the cookie challenging feature and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450
New command: ikev2 dpd
Use ikev2 dpd to configure the global IKEv2 DPD feature.
Use undo ikev2 dpd to disable the global IKEv2 DPD feature.
Syntax
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ikev2 dpd interval
Default
The global IKEv2 DPD feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
To Next Page
Loading...
Need help?
General
