Activation Threshold and Strict Cookie Validation
Where Can I Use This?
What Do I Need?
No license required
Cookie validation is always enabled for IKEv2; it helps
protect against half-SA DoS attacks. You can configure the global
threshold number of half-open SAs that will trigger cookie validation.
You can also configure individual IKE gateways to enforce cookie
validation for every new IKEv2 SA.
Cookie Activation Threshold
is a global VPN session setting that
limits the number of simultaneous half-opened IKE SAs (default is 500). When the
number of half-opened IKE SAs exceeds the
, the Responder will request a cookie, and the
Initiator must respond with an IKE_SA_INIT containing a cookie to validate the
connection. If the cookie validation is successful, another SA can be initiated.
A value of zero means that cookie validation is always on.
The Responder doesn’t maintain a state of the Initiator, nor does it perform a Diffie-Hellman key
exchange, until the Initiator returns the cookie. IKEv2 cookie validation
mitigates a DoS attack that would try to leave numerous connections half open.