Zeek Plugin IKEv2
IKEv2 protocol analyzer for Zeek.
This protocol analyzer focuses on the IKE_SA_INIT exchange which is unencrypted and used to establish a secure tunnel.
Useful information such as SPIs, cipher proposals, and vendor IDs are contained in these packets.
Installation and Usage
zeek-plugin-ikev2 is distributed as a Zeek package and is compatible with the zkg command line tool.
The main.zeek script generates an ikev2.log log file containing the IKE_SA_INIT response from the VPN gateway with details of the selected cryptographic proposal selected to establish the connection.
|is_orig||Packet from originator|
|exchange_type||IKE exchange type|
|selected_proposal_number||Selected proposal number|
|selected_transforms||List of transforms selected|
|selected_ke_dh_group_num||Key exchange Diffie-Hellman group number|
|cipher_hash||MD5 hash of selected_transforms and selected_ke_dh_group_num|
|notify_message_type_names||List of notify message types|
|vendor_payloads||List of vendor payloads|
- Thanks to Adam R @ukncsc for peer review
This plugin is a side project by Stuart H @ukncsc and so maintenance will be on a best efforts basis.
Crown Copyright 2020.
Like Zeek, this plugin comes with a BSD license, allowing for free use with virtually no restrictions. You can find it here.