ike-scan

ike-scan [options] <host(s)|network(s)>

-M
    Scan using IKEv1 Aggressive Mode. This mode is faster but can potentially leak information like group names or usernames if not securely configured on the target.

-P
    Scan using IKEv1 Main Mode. This mode is slower due to more round trips but offers better privacy as it does not leak initial identity information.

-A
    Attempt authentication against the target using specified credentials (e.g., pre-shared key) to test for valid credentials or weak key enforcement.

-2
    Force IKEv2 mode scanning. This instructs ike-scan to interact with targets using the IKEv2 protocol.

-v
    Enable verbose output. Increases the level of detail displayed during the scan, showing more negotiation steps and results.

-f <filename>
    Read a list of hosts or networks to scan from the specified file, with one host/network per line.

-r <num>
    Set the number of retries for each host. Specifies how many times ike-scan should retransmit a packet if no response is received (default is 3).

--trans=<transforms>
    Specify a comma-separated list of IKEv1 transforms to use for the scan. This allows custom negotiation proposals for encryption, hash, authentication, and DH group.

--auto-trans
    Automatically select and try a comprehensive list of IKEv1 transforms. This is useful for discovering all supported parameters without manual specification.

--id=<string>
    Specify the local IKE ID to use in negotiation. This can be an arbitrary string or a specific identity like a FQDN or IP address.

--idtype=<type>
    Specify the type of the local IKE ID. Common types include `FQDN`, `USER_FQDN`, `IPADDR`, `ASN1_DN`, etc.

--psk=<key>
    Specify a pre-shared key to use for authentication attempts. This is often used with `-A` to test for valid PSKs.

--nat-t
    Enable NAT-Traversal (NAT-T) support. This option encapsulates IKE packets in UDP port 4500, which is necessary for IPsec VPNs operating behind NAT devices.

ike-scan is a command-line tool designed for discovering, fingerprinting, and testing hosts that support the Internet Key Exchange (IKE) protocol. IKE is a fundamental component of IPsec VPNs, responsible for establishing secure tunnels by negotiating cryptographic algorithms, exchanging keys, and authenticating peers.

This tool is invaluable for network administrators and security professionals to audit the security posture of VPN gateways. It can identify the IKE version (IKEv1 or IKEv2), retrieve detailed information about supported encryption algorithms (e.g., AES, 3DES), hashing algorithms (e.g., SHA1, MD5), authentication methods (e.g., pre-shared keys, certificates), and Diffie-Hellman groups. By understanding these capabilities, users can identify potential misconfigurations, weak cryptographic settings, or vulnerabilities. ike-scan can also be used to test for common security issues, such as sensitive information leakage in IKEv1 Aggressive Mode.

ike-scan performs active probing, which may be detected by Intrusion Detection/Prevention Systems (IDS/IPS) or security monitoring tools. It typically requires raw socket access, meaning it must be run with root privileges or appropriate capabilities.

Be aware that IKEv1 Aggressive Mode can reveal client identities (e.g., usernames, group names) if the VPN gateway is not configured to protect this information, which is a significant security concern.

Its IKEv2 support, while present, might not be as exhaustive or robust as its IKEv1 capabilities due to the complexity and variations in IKEv2 implementations.

The Internet Key Exchange (IKE) protocol is a critical component of the IPsec suite. Its primary purpose is to establish a Security Association (SA) between two peers. An SA is a set of parameters that define how two parties will communicate securely, including the cryptographic algorithms (encryption, hashing), keys, and other security parameters necessary for secure communication within a VPN tunnel.

IKEv1 supports two main modes for SA establishment: Main Mode and Aggressive Mode.
Main Mode involves six messages (three exchanges) and provides identity protection for the communicating parties. It is generally more secure but requires more round trips.
Aggressive Mode uses three messages (one exchange) and is faster, but it does not provide identity protection, meaning the initiator's identity (e.g., username, FQDN) can be sent unencrypted, potentially leaking sensitive information to an eavesdropper.

ike-scan was originally developed by Simon Wilkinson, becoming a widely recognized and essential tool in the network security and penetration testing communities. It has maintained a strong focus on providing a robust and effective way to interact with and analyze IKE services, particularly for auditing VPN infrastructure. Its development has continuously adapted to cover various IKE implementations and address evolving security concerns related to IPsec VPNs.

nmap(1), hping3(8), wireshark(1), ipsec(8)