Ikev2 Dpd - HP FlexNetwork MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (392 pages) ,
- Configuration manuals (159 pages)
Advertisement
Use undo ikev2 cookie-challenge to disable the cookie challenging feature.
Syntax
ikev2 cookie-challenge number
undo ikev2 cookie-challenge
Default
The cookie challenging feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the threshold for triggering the cookie challenging feature. The value range for this
argument is 1 to 1000 half-open IKE SAs.
Usage guidelines
When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie
challenging mechanism. The responder generates a cookie and includes it in the response sent to
the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the
responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is
incorrect, the responder terminates the negotiation.
This feature can protect the responder against DoS attacks which aim to exhaust the responder's
system resources by using a large number of IKE_SA_INIT requests with forged source IP
addresses.
Examples
# Enable the cookie challenging feature and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450
ikev2 dpd
Use ikev2 dpd to configure global IKEv2 DPD.
Use undo ikev2 dpd to disable global IKEv2 DPD.
Syntax
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ikev2 dpd interval
Default
Global IKEv2 DPD is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
573
Advertisement
