Tess King is concerned that a denialofservice (DoS) attack may affect his VPN Communities. Mrs. King decides to implement IKE DoS protection. Tess needs to minimize the performance impact of implementing this new protection.

Which of the following configurations is MOST appropriate for Tess King?

A.
Set Support IKE DoS protection from identified source to “Puzzles”, and Support IKE DoS protection from unidentified source to “Stateless”

B.
Set Support IKE Dos Protection from identified source, and Support IKE DoS protection from unidentified source to “Puzzles”

C.
Set Support IKE DoS protection from identified source to “Stateless,” and Support IKE DoS protection from unidentified source to “Puzzles”

D.
Set “Support IKE DoS protection” from identified source, and “Support IKE DoS protection” from unidentified source to “Stateless”

E.
Set Support IKE DoS protection from identified source to “Stateless”, and Support IKE DoS protection from unidentified source to “None”

Explanation:

From the online HELP for NGX R60, (see screen capture below)

The options for DOS on IKE for both identified and unidentified connections are…

Puzzles best protection, but performance intensive
Stateless less protection, but not as performance intensive
None no protection for DOS on IKE

Therefore, answer C will have impact on “unidentified” IKE connections. To provide protection with less performance hit, use ‘stateless’ so answer D is correct, not C.