Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Openswan: ipsec verify - syntax Error
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
GreedyIvan
n00b
n00b


Joined: 04 Dec 2013
Posts: 4

PostPosted: Wed Dec 04, 2013 6:12 am    Post subject: Openswan: ipsec verify - syntax Error Reply with quote

I have a fresh gentoo installation (just on test machine).
And when I start
Code:
ipsec verify
I've got this:
Code:
 File "/usr/libexec/ipsec/verify", line 84
    print "\t[%s%s%s]"%(FAIL,rtext,ENDC)
                     ^
SyntaxError: invalid syntax


I suppose that it's a python issue but I can figure out how to fix that.

Linux Openswan U2.6.39/K3.10.17-gentoo (netkey)
Back to top
View user's profile Send private message
Angrychile
Apprentice
Apprentice


Joined: 27 Oct 2009
Posts: 232

PostPosted: Thu Dec 05, 2013 2:54 am    Post subject: Reply with quote

It's possible that verify is being run with python 3; the old print "foo" syntax was deprecated in python3. Try eselecting python 2 and see if that helps.
_________________
hola
Back to top
View user's profile Send private message
GreedyIvan
n00b
n00b


Joined: 04 Dec 2013
Posts: 4

PostPosted: Thu Dec 05, 2013 6:14 am    Post subject: Reply with quote

Change to python 2.7:
Code:
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]
Openswan U2.6.39/K3.10.17-gentoo (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Hardware random device check                            [N/A]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500               Traceback (most recent call last):
  File "/usr/libexec/ipsec/verify", line 461, in <module>
    main()
  File "/usr/libexec/ipsec/verify", line 452, in main
    plutocheck()
  File "/usr/libexec/ipsec/verify", line 178, in plutocheck
    udp500check()
  File "/usr/libexec/ipsec/verify", line 258, in udp500check
    p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-u", "sport = :500"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.7/subprocess.py", line 1308, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory


So I've added:
Code:

ln -s /sbin/ss /usr/sbin/ss
ln -s /bin/ip /usr/sbin/ip

And got this:
Code:
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]
Openswan U2.6.39/K3.10.17-gentoo (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Hardware random device check                            [N/A]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)           [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Back to top
View user's profile Send private message
gsra99
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jan 2008
Posts: 84

PostPosted: Mon Feb 24, 2014 1:44 pm    Post subject: Reply with quote

I have an unusal problem with Openswan/Libreswan. The result of ipsec verify produces this output:
Code:
Verifying installed system and configuration files

Version check and ipsec on-path                      [OK]
Libreswan 3.8 (netkey) on 3.10.25-gentoo
Checking for IPsec support in kernel                 [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                 [OK]
         ICMP default/accept_redirects               [OK]
         XFRM larval drop                            [OK]
Pluto ipsec.conf syntax                              [OK]
Hardware random device                               [N/A]
Two or more interfaces found, checking IP forwarding   [OK]
Checking rp_filter                                   [OK]
Checking that pluto is running                       [OK]
 Pluto listening for IKE on udp 500                  [FAILED]
 Pluto listening for IKE/NAT-T on udp 4500           [DISABLED]
 Pluto ipsec.secret syntax                           [OK]
Checking NAT and MASQUERADEing                       [TEST INCOMPLETE]
Checking 'ip' command                                [OK]
Checking 'iptables' command                          [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options             [OK]
Opportunistic Encryption                             [DISABLED]

ipsec verify: encountered 2 errors - see 'man ipsec_verify' for help

Even though it seems to think that Pluto is not listening on udp 500, and NAT/T is disabled they are not as I can still connect to the server using ipsec authenication. I do not understand why it produces this error when it clearly does not exist. I was wandering if I have some incorrect setting. I noticed you are getting the correct output from Openswan. Any help would be greatly appreciated.
Back to top
View user's profile Send private message
gsra99
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jan 2008
Posts: 84

PostPosted: Fri Feb 28, 2014 7:30 pm    Post subject: Reply with quote

Solved my own problem. It was because I had not built the kernel module udp_diag which is used by ss for monitoring UDP sockets.
Code:
Networking support -> Networking options -> UDP: socket monitoring interface
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum