Where Can I Use
This? | What Do I Need? |
Cookie validation is always enabled for IKEv2; it helps protect against half-SA DoS
attacks. You can configure the global threshold number of half-open SAs that will
trigger cookie validation. You can also configure individual IKE gateways to enforce
cookie validation for every new IKEv2 SA.
The Cookie Activation Threshold is a global VPN
session setting that limits the number of simultaneous half-opened IKE SAs
(default is 500). When the number of half-opened IKE SAs exceeds the
Cookie Activation Threshold, the Responder will
request a cookie, and the Initiator must respond with an IKE_SA_INIT
containing a cookie to validate the connection. If the cookie validation is
successful, another SA can be initiated. A value of zero means that cookie
validation is always on.
The Responder doesn’t maintain a state of the Initiator, nor does it perform
a Diffie-Hellman key exchange, until the Initiator returns the cookie. IKEv2
cookie validation mitigates a DoS attack that would try to leave numerous
connections half open.
The Cookie Activation Threshold must be lower than the
Maximum Half Opened SA setting. If you change the
cookie activation threshold for IKEv2 to a higher number (for example,
65534) and the Maximum Half Opened SA setting
remained at the default value of 65535, cookie validation is disabled.
You can enable Strict Cookie Validation if you want
cookie validation performed for every new IKEv2 SA a gateway receives,
regardless of the global threshold. Strict Cookie
Validation affects only the IKE gateway being configured and
is disabled by default. With Strict Cookie Validation
disabled, the system uses the Cookie Activation
Threshold to determine whether a cookie is needed or not.
Perform the following task if you want a firewall to have a threshold different from
the default setting of 500 half-opened SA sessions before cookie validation is
required.