Cookie Activation Threshold and Strict Cookie Validation

Cookie validation is always enabled for IKEv2; it helps protect against half-SA DoS attacks. You can configure the global threshold number of half-open SAs that will trigger cookie validation. You can also configure individual IKE gateways to enforce cookie validation for every new IKEv2 SA.
  • The Cookie Activation Threshold is a global VPN session setting that limits the number of simultaneous half-opened IKE SAs (default is 500). When the number of half-opened IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie to validate the connection. If the cookie validation is successful, another SA can be initiated. A value of 0 means that cookie validation is always on.
    The Responder does not maintain a state of the Initiator, nor does it perform a Diffie-Hellman key exchange, until the Initiator returns the cookie. IKEv2 cookie validation mitigates a DoS attack that would try to leave numerous connections half open.
    The Cookie Activation Threshold must be lower than the Maximum Half Opened SA setting. If you Change the Cookie Activation Threshold for IKEv2 to a very high number (for example, 65534) and the Maximum Half Opened SA setting remained at the default value of 65535, cookie validation is essentially disabled.
  • You can enable Strict Cookie Validation if you want cookie validation performed for every new IKEv2 SA a gateway receives, regardless of the global threshold. Strict Cookie Validation affects only the IKE gateway being configured and is disabled by default. With Strict Cookie Validation disabled, the system uses the Cookie Activation Threshold to determine whether a cookie is needed or not.

Related Documentation