Comment on page
500 (IPSEC IKE)

ike-scan IP -A
aggressive-mode (-A)  get PSK 
ike-scan IP -M 
multi-line - easy to read 
SA (Security association data) --- copy it.
​
if a SNMP is open make sure to do some snmpwalk to get VPN PSK data, which you could use with the SA data. (hash type, group) 
Life duration -- it will print hexadecimal characters ---> convert it to decimal. ---> hours)
​
​
apt install srongswan 
once downloaded, you can edit the /etc/ipsec.secrets
paste the followiog:
VICTIM_IP %any ; PSK "paste the plain text PSK"
Edit /etc/ipsec.conf
Unser Sample VPN conections: 
conn BOX_NAME
    type=transport
    keyexchange=ikev1
    left=your_IP
    leftprotoport=tcp
    right=victim-IP
    rightprotoport=tcp 
    authby=PSK
    esp=3des-sha1
    ike=3des-sha1-mod1024
    ikelifetime=8h
    auto=start 
ipsec start --no fork
-leftprotoport=tcp & rightprotoport=tcp  
set these if TCP ports are hidden from us. 
For trouble shooting ike stuff, https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-traffic.html​
​
​
If no errors, run nmap scan wit -sT option! 
(you cannot do a SYN scan---the default scan, when the client is using a VPN service. You have to complete a handshake.) 
​
443 https
4500 ISAKMP
Last modified 1yr ago