The ikev2 cookie-challenge command sets the maximum number of half-open connections allowed by IKEv2.
The undo ikev2 cookie-challenge command restores the default setting.
By default, the maximum number of half-open connections allowed by IKEv2 is 25000.
| Parameter | Description | Value |
|---|---|---|
| number | Specifies the maximum number of half-open connections allowed by IKEv2. | The value is an integer that ranges from 1 to 1000. |
IKEv2 initial exchange messages are transmitted in plaintext. If an attack forges massive IKE_INIT_SA requests, the resources of the responder will be exhausted, causing DoS attacks.
Cookie exchange is defined in IKEv2. After receiving the first message from the sender, the responder replies an unprotected notify payload. In follow-up communications, the responder accepts only the IKE negotiation initiated by the sender of cookie-carrying notify payloads.
You can run this command for the device to determine whether and when to enable attack defense.