Readme.md

Let's assume the above script has been copied and pasted to a file called ike-scan.sh. To run the script, issue something like the following on the command-line. Note: ike-scan needs UDP port 500 to be free, this can be achieved by stopping any running IPsec service (e.g. sudo ipsec stop). Replace 123.54.76.9 in the below with your VPN server and we'll grep for SA (i.e. IPSec Security Association) which is the main thing we are interested in.

sudo ipsec stop chmod a+rx ./ike-scan.sh sudo ./ike-scan.sh 123.54.76.9 | grep SA= It may take a few minutes for the script to run to completion and the output shall look something like:

SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) SA=(Enc=AES Hash=SHA1 Auth=PSK Group=14:modp2048 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080 From the above example script output, it would mean the following phase 1 & 2 algorithms options could be set in the IPsec dialog box advanced options:

Phase1 Algorithms: aes128-sha1-modp2048,3des-sha1-modp1024 Phase2 Algorithms: aes128-sha1,3des-md5

ike-scan.sh

#!/bin/sh

# Encryption algorithms: 3des=5, aes128=7/128, aes192=7/192, aes256=7/256
ENCLIST="5 7/128 7/192 7/256"
# Hash algorithms: md5=1, sha1=2, sha256=5, sha384=6, sha512=7
HASHLIST="1 2 5 6 7"
# Diffie-Hellman groups: 1, 2, 5, 14, 15, 19, 20, 21
GROUPLIST="1 2 5 14 15 19 20 21"
# Authentication method: Preshared Key=1
AUTH=1

for ENC in $ENCLIST; do
   for HASH in $HASHLIST; do
       for GROUP in $GROUPLIST; do
          echo ike-scan --trans=$ENC,$HASH,$AUTH,$GROUP -M "$@"
          ike-scan --trans=$ENC,$HASH,$AUTH,$GROUP -M "$@"
      done
   done
done