IKEv2 offers cookie notification, a challenge-response procedure that the IKEv2 responder can trigger if it has too many half-open IKEv2 connections. This makes the responder more resistant to DDoS attacks.
Cookie notification has been implemented to improve the compatibility with third-party VPN-enabled devices. It must be enabled on both VPN participants in order for a VPN connection to be established.
The IKEv2 cookie notification prevents the establishment of excessive numbers of half-open VPN connections and the attack on VPN-gateway resources (DDOS) that they cause. With cookie notification enabled, the responder only reacts to incoming VPN connections if the remote site is verified as reachable.
Enabling the IKEv2 cookie challenge adds two additional IKE messages to the VPN connection setup.
The switch activates the Cookie Challenge on the responder or gateway side.
On the initiator side, the cookie challenge is done automatically if the other side requests it. The switch has no effect on the initiator side or on the client side.
Please note that both initiator and responder must support the cookie challenge feature. If the remote site does not support cookie challenge, the VPN tunnel cannot be established. LANCOM VPN routers at both ends must have at least LCOS 10.30.
- SNMP ID:
- 2.19.36.12
- Console path:
- Setup > VPN > IKEv2
- Possible values:
- Off
- Always
- Default:
- Off