ike-scan is a network utility that discovers and fingerprints IKE (Internet Key Exchange) hosts and services. It sends specially crafted IKE Phase 1 packets to identify VPN servers, determine their implementation type, supported encryption algorithms, and potential misconfigurations. The tool is essential for identifying VPN endpoints during reconnaissance and assessing the security posture of IPsec deployments.
ike-scan operates at the network layer (UDP port 500) and can detect various VPN implementations including Cisco, Juniper, Nortel, and many others. It’s included in Kali Linux and is invaluable for authorized network security assessments.
# Kali Linux (pre-installed)
ike-scan --version
which ike-scan
# Debian/Ubuntu
sudo apt-get install ike-scan
# macOS
brew install ike-scan
# From source
git clone https://github.com/royhills/ike-scan
cd ike-scan
./configure
make
sudo make install
ike-scan [options] <target> [<target2> ...]
| Command | Description |
|---|
ike-scan <ip> | Scan single IP for IKE service |
ike-scan <ip>/24 | Scan entire subnet |
ike-scan -l | List all supported algorithms |
ike-scan --help | Display help information |
ike-scan --version | Show version number |
# Scan single IP
ike-scan 192.168.1.1
# Scan subnet
ike-scan 10.0.0.0/24
# Scan with verbose output
ike-scan -v 192.168.1.1
# Scan multiple targets
ike-scan 192.168.1.1 192.168.2.1 10.0.0.1
| Option | Description | Example |
|---|
-r | Number of retries | ike-scan -r 3 192.168.1.1 |
-t | Timeout per host (ms) | ike-scan -t 500 192.168.1.1 |
-d | Delay between packets | ike-scan -d 100 192.168.1.0/24 |
-M | Monolithic display | ike-scan -M 192.168.1.1 |
| Option | Description | Example |
|---|
-e | Encryption algorithm | ike-scan -e 1 192.168.1.1 |
-a | Authentication algorithm | ike-scan -a 1 192.168.1.1 |
-g | DH group | ike-scan -g 2 192.168.1.1 |
-l | List algorithms | ike-scan -l |
| Option | Description | Example |
|---|
-v | Verbose output | ike-scan -v 192.168.1.1 |
-q | Quiet output | ike-scan -q 192.168.1.1 |
-s | Source IP | ike-scan -s 192.168.100.1 192.168.1.1 |
-S | Source port | ike-scan -S 500 192.168.1.1 |
# Detailed fingerprinting with verbose output
ike-scan -v --aggressive 192.168.1.1
# Test specific encryption suites
ike-scan -e 3des -a sha1 -g 2 192.168.1.1
# List available encryption algorithms
ike-scan -l
# Test multiple encryption combinations
for enc in 1 3 5; do
for hash in 1 2 3; do
ike-scan -e $enc -a $hash -g 2 192.168.1.1
done
done
# Scan entire class C subnet
ike-scan 192.168.1.0/24
# Scan with custom timeouts
ike-scan -t 1000 -r 2 10.0.0.0/24
# Aggressive scanning
ike-scan --aggressive 192.168.0.0/23
# Scan and save results
ike-scan -v 192.168.1.0/24 > ike_scan_results.txt
# Full aggressive scan (discovers additional info)
ike-scan --aggressive 192.168.1.1
# Aggressive scan with verbose output
ike-scan -v --aggressive 192.168.1.0/24
# Save detailed output
ike-scan --aggressive --showid 192.168.1.1 > fingerprint.txt
# Scan network for VPN endpoints
ike-scan 192.168.0.0/16 2>/dev/null | grep "Handshake returned"
# Extract responsive hosts
ike-scan -q 192.168.0.0/16 | grep -v "Timeout" > vpn_hosts.txt
# Get count of VPN servers
ike-scan -q 192.168.0.0/16 | grep "Handshake" | wc -l
# Identify VPN vendor
ike-scan -v --aggressive 192.168.1.1 2>&1 | grep -i "implementation\|vendor\|version"
# Extract implementation details
ike-scan -v 192.168.1.1 | grep -i "Aggressive Mode Payload"
# Map VPN implementations in network
for ip in $(ike-scan -q 192.168.1.0/24 | cut -d' ' -f1); do
echo "=== $ip ==="
ike-scan -v $ip 2>&1 | grep -i "implementation"
done
# Test weak encryption algorithms
echo "Testing DES (weak):"
ike-scan -e 1 -a 1 -g 1 192.168.1.1
# Test stronger algorithms
echo "Testing AES-256 (stronger):"
ike-scan -e 12 -a 5 -g 14 192.168.1.1
# Document supported algorithms
ike-scan -v 192.168.1.1 > vpn_capability_assessment.txt
# Scan for VPN servers on network
ike-scan 10.0.0.0/24
# Expected output:
# Starting ike-scan 1.9.4 with 256 hosts (https://www.nmap.org)
# 10.0.0.10 Main Mode Handshake returned
# 10.0.0.50 Main Mode Handshake returned
# Ending ike-scan 1.9.4: 256 hosts scanned in 2.56 seconds
# Detailed analysis of specific VPN endpoint
ike-scan -v --aggressive 10.0.0.10
# Output shows:
# - IKE implementation (Cisco, Juniper, etc.)
# - Supported encryption algorithms
# - Supported hash algorithms
# - Supported DH groups
# - Vendor ID information
# Scan entire subnet and save results
ike-scan -v 192.168.1.0/24 > vpn_assessment_$(date +%Y%m%d).txt
# Analyze results
echo "VPN Endpoints Found:"
grep "Handshake returned" vpn_assessment_*.txt
# Count implementations
echo "Total VPN Servers:"
grep "Handshake returned" vpn_assessment_*.txt | wc -l
# Create test script
cat > test_vpn_algorithms.sh << 'EOF'
#!/bin/bash
TARGET=$1
echo "Testing VPN encryption algorithms on $TARGET"
echo ""
# DES (weak)
echo "DES-CBC (weak):"
ike-scan -e 1 -a 1 -g 1 $TARGET 2>&1 | head -1
# 3DES (medium)
echo "3DES-CBC (medium):"
ike-scan -e 3 -a 1 -g 2 $TARGET 2>&1 | head -1
# AES-128 (strong)
echo "AES-128 (strong):"
ike-scan -e 7 -a 2 -g 5 $TARGET 2>&1 | head -1
# AES-256 (very strong)
echo "AES-256 (very strong):"
ike-scan -e 12 -a 5 -g 14 $TARGET 2>&1 | head -1
EOF
chmod +x test_vpn_algorithms.sh
./test_vpn_algorithms.sh 192.168.1.1
Handshake returned = VPN server is responding to IKE
Timeout = No response (not VPN, filtered, etc.)
Error response = VPN server with restrictions
# Examine vendor identification
ike-scan -v 192.168.1.1 | grep "Vendor"
# Check supported algorithms
ike-scan -v 192.168.1.1 | grep -i "encryption\|hash\|dh"
# Identify VPN implementation
ike-scan -v 192.168.1.1 | grep -i "aggressive mode"
| ID | Algorithm | Strength |
|---|
| 1 | DES-CBC | Weak (deprecated) |
| 3 | 3DES-CBC | Medium |
| 7 | AES-128 | Strong |
| 8 | AES-192 | Strong |
| 12 | AES-256 | Very Strong |
| ID | Algorithm | Usage |
|---|
| 1 | MD5 | Weak |
| 2 | SHA-1 | Medium |
| 3 | SHA-256 | Strong |
| 4 | SHA-384 | Very Strong |
| 5 | SHA-512 | Very Strong |
| ID | Group | Key Size |
|---|
| 1 | 768-bit | Weak |
| 2 | 1024-bit | Medium |
| 5 | 1536-bit | Strong |
| 14 | 2048-bit | Strong |
| 19 | 256-bit ECC | Strong |
# Discover VPN endpoints with nmap, then fingerprint with ike-scan
nmap -sU -p 500 192.168.0.0/16 -oG - | grep open | cut -d' ' -f2 > vpn_candidates.txt
# Fingerprint discovered endpoints
while read ip; do
ike-scan -v --aggressive "$ip"
done < vpn_candidates.txt > vpn_fingerprint_report.txt
# Check for weak algorithms
ike-scan -e 1 192.168.1.1 && echo "VULNERABLE: DES encryption supported"
# Create comprehensive assessment
for algo_id in 1 3 7 12; do
result=$(ike-scan -q -e $algo_id 192.168.1.1)
if echo "$result" | grep -q "Handshake"; then
echo "Supported: Algorithm ID $algo_id"
fi
done
#!/bin/bash
# Comprehensive VPN security assessment
NETWORK=$1
REPORT="vpn_assessment_$(date +%Y%m%d_%H%M%S).txt"
echo "VPN Security Assessment Report" > $REPORT
echo "Network: $NETWORK" >> $REPORT
echo "Date: $(date)" >> $REPORT
echo "---" >> $REPORT
# Phase 1: Discovery
echo "Discovery Phase:" >> $REPORT
ike-scan -q $NETWORK >> $REPORT
# Phase 2: Fingerprinting
echo -e "\nFingerprinting Phase:" >> $REPORT
for ip in $(ike-scan -q $NETWORK | grep Handshake | cut -d' ' -f1); do
echo "Host: $ip" >> $REPORT
ike-scan -v --aggressive $ip >> $REPORT
done
# Phase 3: Algorithm Testing
echo -e "\nAlgorithm Analysis:" >> $REPORT
for ip in $(ike-scan -q $NETWORK | grep Handshake | cut -d' ' -f1); do
echo "Testing: $ip" >> $REPORT
ike-scan -e 1 -a 1 -g 1 $ip >> $REPORT
done
echo "Assessment complete: $REPORT"
| Issue | Solution |
|---|
| Permission denied | Run with sudo: sudo ike-scan |
| Timeout on all hosts | Check network connectivity and firewall |
| No output | Verify target IP and network accessibility |
| Incomplete fingerprinting | Use aggressive mode: ike-scan --aggressive |
| Cannot find ike-scan | Check installation: which ike-scan |
- Authorization: Only scan networks you own or have explicit permission to test
- Scope: Adhere to defined testing boundaries
- Timing: Conduct scans during approved testing windows
- Documentation: Maintain detailed records of discovery activities
- Confidentiality: Protect assessment results
- ike-scan generates minimal network traffic
- Safe for most production networks (verify with network team)
- Can help identify VPN availability issues
- Useful for inventory and compliance validation
- nmap: Network discovery and scanning
- Wireshark: Packet capture and analysis
- strongSwan: IPsec implementation
- OpenSwan: IPsec VPN toolkit
- openvpn: OpenVPN implementation
- Burp Suite: Web application security (for API endpoints)
Encryption: AES-256-GCM (minimum AES-256-CBC)
Hash: SHA-256, SHA-384, or SHA-512
DH Group: 14 (2048-bit) or higher
Protocol: IKEv2 (prefer over IKEv1)
Weak Ciphers: Disable DES, 3DES, MD5
Authentication: Strong certificates + optional pre-shared keys
- RFC 2409: IKE Protocol
- RFC 3394: AES Key Wrap Algorithm
- RFC 3539: Authentication Protocol for PPP and IPsec IKE
- NIST Guidelines on IPsec VPN
- Vendor documentation for specific implementations
