ike-scan

ike-scan [options] [hosts[/mask]]...

-M, --multiple
    Send multiple possible IKE packets to each target

-E, --eap
    Request EAP authentication identity

-s , --sourceport=
    Use specified source UDP port (default random)

--source=
    Use specified source IP address

--srcport=
    Use specified source port

--id=
    Set ID payload

--vendor=
    Set Vendor ID payload

-d , --debug=
    Set debug verbosity (1-3)

-v, --verbose
    Increase verbosity

-V, --veryverbose
    Very verbose output

-p , --port=
    Destination UDP port (default 500)

--file=
    Read targets from file

-i , --interface=
    Specify network interface

-S , --sport=
    Source port range

--iketype=
    IKE packet type (1-4)

--trans=
    Specify transform

-r , --retry=
    Retries per packet (default 3)

-t , --timeout=
    Timeout in ms (default 5000)

-T , --preload=
    Preload packets (for speed)

-m , --max=
    Max concurrent probes

-P, --showtransforms
    Show IKE transform payloads

--fingerprint=
    Fingerprint responder (1 or 2)

--printcert
    Print server certificates

-N, --resolve
    Resolve IP to hostname

--help
    Show help

--version
    Show version

ike-scan is a command-line utility for discovering, fingerprinting, and testing IPsec VPN servers on a target network. It actively sends Phase-1 IKE (Internet Key Exchange) packets to specified hosts or IP ranges and analyzes responses to identify VPN endpoints, vendor implementations, and supported transforms.

Key features include sending multiple IKE variants for comprehensive scanning, cookie randomization to evade detection, support for aggressive mode, EAP, and certificates. It fingerprints servers by matching response payloads against a database of known vendors like Cisco, Juniper, and Palo Alto.

Common uses: network reconnaissance, security auditing, VPN compatibility testing. Output includes responder IP, cookies, vendor ID, transforms, NAT detection, and more. Pair with ptunnel or ikeprobe (included) for deeper analysis.

Requires root privileges for raw socket access. Scans UDP ports 500 (IKE) and 4500 (NAT-T). Efficient for large ranges with multithreading-like preloading.

Requires root privileges for raw sockets. Scanning may be detected/blocked by firewalls/IDS. Respect legal scanning laws; aggressive scans can disrupt services. Limited to UDP; no TCP fallback. Vendor fingerprint DB may need updates.

Debian/Ubuntu: apt install ike-scan. Source: compile from ike-scan.org.

ike-scan -M --fingerprint 192.168.1.0/24 scans subnet for VPNs with fingerprinting.

Developed by Roy Hills starting 2001. Initial release as open-source tool for IPsec discovery. Version 1.9.4 (2012) added NAT-T, EAP support. Maintained sporadically; v1.9.5 (2023) with bugfixes. Widely used in pentesting tools like Metasploit.

nmap(1), hping3(8), masscan(8), vpnc(8), strongswan(8)