Add support for IKEv2 to ikebuster#5

Open

CrsiX wants to merge 98 commits intomyOmikron:mainfrom

Contributor

CrsiX commented Sep 13, 2025

This PR adds IKEv2 support to the ISAKMP library and the ikebuster tool.

It may need fine-tuning here and there, but it works overall.

CrsiX added 30 commits

July 4, 2025 15:57


          Started building IKEv2 definitions

6729ee7


          Added remaining IKEv2 params as Rust enums

b93bcc7


          Added NotifyMessageStatus


          Added basic generators, extended the definitions

81cacbb


          Added high-level representations and header structs

ae1a46a


          Implemented build for Transform

a9e1d7a


          Implemented Proposal.build and some tests for it

a5e173f


          Implemented SecurityAssociation.build

3f4d46c


          Implemented IKEv2.build, use key_length as u16 directly for encryption

3d00b80


          Implemented Payload.build, added KeyExchange type, simplified Nonce…

c89c760

… and VendorID


          Added NotifyHeader, Notification payload and its build method

8ef8c16


          Extended IKEv2 packet generation

1f23701


          Started building the parser package

efb695f


          Switch from Vec<Transform> to 5 split up Vecs, fixed generation, fixe…

…d tests


          Built parser for SA

f9e3948


          Started parsing for a proposal

2b1db40


          Added proposal parser, fixed many things

58ab84f


          Fixed SA parser

58534e2


          Switch from &u8 to Vec<u8> for notification data, implement Notify pa…

52b6685

…rser


          Introduce BoundaryErrors, made sure SA work with random attributes

ba82250


          Moved tests to a separate file

135650c


          Fixed tests, added 'log', used try_build for Proposals

6f6cf72


          Renamed params to use more CAPSLOCK_PASCAL_CASE for naming scheme

9de7ee9


          Implement parsing for KeyExchange payload


          Added CertificateRequest parsing, fixed unknown payload bug of endles…

70f42a6

…s loop


          Moved constants into their own file, added IKEv2::hello

e3dfe9c


          Added small utils

f122c2f


          Disabled doctests on the library since they are broken due to formatting

a12eab6


          Added methods to get handshake or key lengths

8bd5886


          Added 'requires_integrity_algorithm', removed ENCR algos not allowed …

19f8f0b

…in IKE

CrsiX added 5 commits

September 13, 2025 18:05


          Moved the socket binding to its own utility

c1a2c9f


          Removed old scanner implementation

dccb015


          Implemented the autodetection scan variant

50ac75c


          Added lots of docs, fixed imports, fixed timeout lengths

6ae2819


          Run cargo update

myOmikron requested changes

View reviewed changes

ikebuster/src/lib.rs Outdated Show resolved Hide resolved

ikebuster/src/v2/finding.rs Outdated Show resolved Hide resolved

CrsiX added 6 commits

September 30, 2025 10:50


          Merge remote branch 'upstream/main'

cc8e430


          Run cargo update

2f4601b


          Reformatted imports of isakmp

f7af232


          Reformatted imports of ikebuster

c81c0c5


          Improve readability through format variables

24bdfd6


          Added Unicode-3.0 license to allowlist

44aefe2

github-advanced-security bot found potential problems

View reviewed changes

ikebuster/src/main.rs

-                                  )
-                                  .bright_black());
-                                  owo_println!("---------------");
+                                  print_couldnt_bind_solution(500, &e)?;

Check warning

Code scanning / clippy

this expression creates a reference which is immediately dereferenced by the compiler Warning

this expression creates a reference which is immediately dereferenced by the compiler

ikebuster/src/main.rs

+              async fn main_both(cli: &Cli) -> Result<(), Box<dyn std::error::Error>> {
+                  owo_println!("Starting scan for IKEv2, then scanning IKEv1...");
+                  main_v2(&cli).await?;

Check warning

Code scanning / clippy

this expression creates a reference which is immediately dereferenced by the compiler Warning

this expression creates a reference which is immediately dereferenced by the compiler

ikebuster/src/main.rs

+                  } else {
+                      None
+                  };
+                  main_v1(&cli).await?;

Check warning

Code scanning / clippy

this expression creates a reference which is immediately dereferenced by the compiler Warning

this expression creates a reference which is immediately dereferenced by the compiler

ikebuster/src/v2/receiver.rs Fixed Show fixed Hide fixed

ikebuster/src/v2/scanner.rs

+                                  }
+                                  ControlChannelEvent::DumpState(ch) => {
+                                      let dump = dump_state(&mut open, &mut todo, &mut stats, &mut results, &options, &scan_started);
+                                      ch.send(dump).expect("can't send state dump via channel")

Check warning

Code scanning / clippy

used expect() on a Result value Warning

used expect() on a Result value

isakmp/src/v2/definitions/mod.rs

+              #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+              pub struct CertificateRequest {
+                  pub encoding: CertificateEncoding,
+                  pub certification_authority: Vec<u8>,

Check warning

Code scanning / clippy

missing documentation for a struct field Warning

missing documentation for a struct field

isakmp/src/v2/definitions/mod.rs

+              /// For this representation, these are not parsed and provided as [`Vec<u8>`] instead.
+              #[derive(Debug, PartialEq, Serialize, Deserialize)]
+              pub struct Notification {
+                  pub variant: NotificationType,

Check warning

Code scanning / clippy

missing documentation for a struct field Warning

missing documentation for a struct field

isakmp/src/v2/definitions/mod.rs

+              #[derive(Debug, PartialEq, Serialize, Deserialize)]
+              pub struct Notification {
+                  pub variant: NotificationType,
+                  pub data: Vec<u8>,

Check warning

Code scanning / clippy

missing documentation for a struct field Warning

missing documentation for a struct field

isakmp/src/v2/definitions/mod.rs

+              pub struct Notification {
+                  pub variant: NotificationType,
+                  pub data: Vec<u8>,
+                  pub protocol: SecurityProtocol,

Check warning

Code scanning / clippy

missing documentation for a struct field Warning

missing documentation for a struct field

isakmp/src/v2/definitions/mod.rs

+                  pub variant: NotificationType,
+                  pub data: Vec<u8>,
+                  pub protocol: SecurityProtocol,
+                  pub spi: Option<Vec<u8>>,

Check warning

Code scanning / clippy

missing documentation for a struct field Warning

missing documentation for a struct field

CrsiX added 6 commits

October 4, 2025 19:01


          Added missing SHA1 for peeking proposal

9950de9


          Added support for Windows status codes from private use range

d64299c


          Improve peeking with better info message

a90152c


          Fixed a bug where open proposals would not be matched for overspecifi…

2b5e700

…c key sizes


          Relax logging for informational requests from the responder

ce8905d


          Fixed duplicate findings, fixed local proposals that could be different

270e147

myOmikron requested a review from Copilot

October 7, 2025 16:05

Copilot AI reviewed

View reviewed changes

Copilot AI left a comment

Pull Request Overview

This PR adds comprehensive IKEv2 support to the ISAKMP library and ikebuster tool, expanding the existing IKEv1 functionality to support the newer IKE protocol version.

Key changes:

Complete IKEv2 protocol implementation with parsers, generators, and data structures
New IKEv2 scanner functionality with improved proposal testing and connection tracking
Enhanced CLI with autodetection, mode selection, and improved output formats

Reviewed Changes

Copilot reviewed 44 out of 45 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
setup.md	Adds logging configuration documentation for Libreswan
isakmp/src/v2/	Complete IKEv2 implementation with definitions, parsers, generators, and utilities
isakmp/src/v1/	Minor fixes to comments and naming in existing IKEv1 code
isakmp/src/lib.rs	Exposes new v2 module
ikebuster/src/v2/	New IKEv2 scanner implementation with advanced features
ikebuster/src/main.rs	Extended CLI with multiple scan modes and IKEv2 support
ikebuster/src/lib.rs	Version detection and shared networking utilities

Comments suppressed due to low confidence (1)

isakmp/src/v1/definitions/mod.rs:1

Corrected spelling of 'TrippleDES_CBC' to 'TripleDES_CBC'

//! Definitions of ISAKMP messages and types

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

myOmikron requested changes

View reviewed changes

ikebuster/src/lib.rs Outdated Show resolved Hide resolved

ikebuster/src/main.rs Outdated Show resolved Hide resolved

ikebuster/src/main.rs Outdated Show resolved Hide resolved

ikebuster/src/main.rs Outdated Show resolved Hide resolved

ikebuster/src/v2/peeking.rs Outdated Show resolved Hide resolved

ikebuster/src/v2/receiver.rs

+                                          .encryption_algorithms
+                                          .iter_mut()
+                                          .for_each(|e| e.1 = None);
+                                      for mut p in open_proposals {

Owner

myOmikron Oct 7, 2025

Don't use mut p in xyz, modern Rust likes to have: p in &mut xyz

Contributor Author

CrsiX Oct 13, 2025

I consume open_proposals, and thus I'd say mut p is acceptable

ikebuster/src/v2/receiver.rs Outdated Show resolved Hide resolved

ikebuster/src/v2/receiver.rs

+              ) {
+                  if let Some(&sa) = open_packet
+                      .payloads
+                      .iter()

Owner

myOmikron Oct 7, 2025

use into_iter, you have ownership

ikebuster/src/v2/receiver.rs Outdated Show resolved Hide resolved

ikebuster/src/v2/receiver.rs Outdated Show resolved Hide resolved

CrsiX added 8 commits

October 9, 2025 17:24


          Relax the parsing to allow a little bit of RFC-noncompliance where it…

cf23e92

… doesn't hurt much


          Modify acceptance indicators to differ between soft fail and hard fail

a33f071


          Renamed peeking -> probing, fixed receiver splitting, integrate revie…

dc0ba6b

…wer feedback


          Added a fix to detect invalid syntax in Microsoft notification results


          Increased the nonce size to 512 bits due to RFC 7296 section 2.10

da21203

It mandates that the nonce is at least the key size of the PRF,
which is at most 512 bits for SHA512.


          Renamed peeking to probing

7b62c73


          Fixed the ordering of the probing request to check non-AEAD algos first

b9b3af7


          Changed ordering of proposals in probing, added AES_XCBC algorithm

cf35089

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet