Research and Development

iker is a Python tool to analyse the security of the key exchange phase in IPsec based VPNs.

Key features

  • Discover VPN services running
  • Fingerprint based on vendor IDs (VID)
  • Guess implementation basing on responses analysis (backoff)
  • Enumerate supported transforms in Main Mode
  • Check for Aggressive Mode
  • Enumerate supported transforms in this Aggressive Mode
  • Enumerate valid client/group IDs in Aggressive Mode
  • Allow for rate limiting
  • Analyse results to list actual issues
  • Export results in 2 different formats
  • Load IPs from command line or text files
  • Determine support for IKEv2


iker scans and analyses the Internet Key Exchange (IKE) protocol, identifying common misconfigurations in VPN concentrators. It is based on ike-scan.

It discovers and try to fingerprint the VPNs in a first step. Later, it tries to enumerates valid transforms in Main Mode and in Aggressive Mode if it is supported. Finally, it will try to enumerate group IDs if a dictionary was provided.

iker implements two ways of enumerating valid group IDs:

Once all the tests have been launched, iker analyses the results and generates a report with the issues found.


In addition, the following Python packages are used (they usually are included with normal Python installations):

  • subprocess
  • argparse


Download iker from the link below and uncompress it.


$ sudo python -h

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( )

usage: [-h] [-v] [-d DELAY] [-i INPUT] [-o OUTPUT] [-x XML]
               [--encalgs ENCALGS] [--hashalgs HASHALGS]
               [--authmethods AUTHMETHODS] [--dhgroups DHGROUPS] [--fullalgs]
               [--ikepath IKEPATH] [-c CLIENTIDS]

positional arguments:
  target                The IP address or the network (CIDR notation) to scan.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Be verbose.
  -d DELAY, --delay DELAY
                        Delay between requests (in milliseconds). Default: 0
                        (No delay).
  -i INPUT, --input INPUT
                        An input file with an IP address/network per line.
  -o OUTPUT, --output OUTPUT
                        An output file to store the results.
  -x XML, --xml XML     An output file to store the results in XML format.
                        Default: output.xml
  --encalgs ENCALGS     The encryption algorithms to check. Default: DES,
                        3DES, AES/128, AES/192 and AES/256. Example:
                        --encalgs="1 5 7/128 7/192 7/256"
  --hashalgs HASHALGS   The hash algorithms to check. Default: MD5 and SHA1.
                        Example: --hashalgs="1 2"
  --authmethods AUTHMETHODS
                        The authorization methods to check. Default: Pre-
                        Shared Key, RSA Signatures, Hybrid Mode and XAUTH.
                        Example: --authmethods="1 3 64221 65001"
  --dhgroups DHGROUPS   The Diffie-Hellman groups to check. Default: MODP 768,
                        MODP 1024 and MODP 1536. Example: --dhgroups="1 2 5"
  --fullalgs            Equivalent to: --encalgs="1 2 3 4 5 6 7/128 7/192
                        7/256 8" --hashalgs="1 2 3 4 5 6" --authmethods="1 2 3
                        4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003
                        65004 65005 65006 65007 65008 65009 65010"
                        --dhgroups="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
  --ikepath IKEPATH     The FULL ike-scan path if it is not in the PATH
                        variable and/or the name changed.
  -c CLIENTIDS, --clientids CLIENTIDS
                        A file (dictionary) with a client ID per line to
                        enumerate valid client IDs in Aggressive Mode.
                        Default: unset - This test is not launched by default.


Loading the hosts/ranges to scan from a text file and saving the results into a text and an XML file:

$ sudo python -i ips.txt -o output.txt -x output.xml -v

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( )

Starting iker ( at Mon, 20 Jan 2014 14:34:15 +0000
[*] Discovering IKE services, please wait... Notify message 14 (NO-PROPOSAL-CHOSEN)
 HDR=(CKY-R=0000000000000000, msgid=f904f872)

[*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] The device could not been fingerprinted because no transform is known.

[*] Looking for accepted transforms at
[*] Transform found: Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080
[*] Vendor ID identified for IP with transform Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080: Firewall-1 NGX

[*] Trying to fingerprint the devices (again). This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] Implementation guessed for IP Firewall-1 4.1/NG/NGX

Specifying the encryption algorithms to check for supported transforms:

$ sudo python --encalgs "1 2 3 4 5 6 7/128 7/192 7/256 8"

Specifying that all the encryption algorithms, the hashing algorithms, the authentication methods and the DH groups must be checked:

$ sudo python --fullalgs
July 17, 2014
Version: 1.1
40.0 KiB
MD5 hash: c255b6beffcf1e0a2026a9fd3faede8a

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)