Zeek Plugin IKEv2

IKEv2 protocol analyzer for Zeek.

This protocol analyzer focuses on the IKE_SA_INIT exchange which is unencrypted and used to establish a secure tunnel.

Useful information such as SPIs, cipher proposals, and vendor IDs are contained in these packets.

Installation and Usage

zeek-plugin-ikev2 is distributed as a Zeek package and is compatible with the zkg command line tool.


The main.zeek script generates an ikev2.log log file containing the IKE_SA_INIT response from the VPN gateway with details of the selected cryptographic proposal selected to establish the connection.

uidConnection ID
id.orig_hOriginating host
id.orig_pOriginating port
id.resp_hResponding host
id.resp_pResponding post
is_origPacket from originator
sa_iInitiators SPI
sa_rResponders SPI
versionIKE version
exchange_typeIKE exchange type
selected_proposal_numberSelected proposal number
selected_transformsList of transforms selected
selected_ke_dh_group_numKey exchange Diffie-Hellman group number
cipher_hashMD5 hash of selected_transforms and selected_ke_dh_group_num
notify_message_type_namesList of notify message types
vendor_payloadsList of vendor payloads


  • Thanks to Adam R @ukncsc for peer review


This plugin is a side project by Stuart H @ukncsc and so maintenance will be on a best efforts basis.


Crown Copyright 2020.


Like Zeek, this plugin comes with a BSD license, allowing for free use with virtually no restrictions. You can find it here.

Package Version :