# Openswan: ipsec verify - syntax Error

## GreedyIvan

I have a fresh gentoo installation (just on test machine).

And when I start 

```
ipsec verify
```

 I've got this:

```
 File "/usr/libexec/ipsec/verify", line 84

    print "\t[%s%s%s]"%(FAIL,rtext,ENDC)

                     ^

SyntaxError: invalid syntax
```

I suppose that it's a python issue but I can figure out how to fix that.

Linux Openswan U2.6.39/K3.10.17-gentoo (netkey)

----------

## Angrychile

It's possible that verify is being run with python 3; the old print "foo" syntax was deprecated in python3. Try eselecting python 2 and see if that helps.

----------

## GreedyIvan

Change to python 2.7:

```
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]

Openswan U2.6.39/K3.10.17-gentoo (netkey)

See `ipsec --copyright' for copyright information.

Checking for IPsec support in kernel                    [OK]

 NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                    [OK]

         ICMP default/accept_redirects                  [OK]

         XFRM larval drop                               [OK]

Hardware random device check                            [N/A]

Checking rp_filter                                      [OK]

Checking that pluto is running                          [OK]

 Pluto listening for IKE on udp 500               Traceback (most recent call last):

  File "/usr/libexec/ipsec/verify", line 461, in <module>

    main()

  File "/usr/libexec/ipsec/verify", line 452, in main

    plutocheck()

  File "/usr/libexec/ipsec/verify", line 178, in plutocheck

    udp500check()

  File "/usr/libexec/ipsec/verify", line 258, in udp500check

    p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-u", "sport = :500"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__

    errread, errwrite)

  File "/usr/lib64/python2.7/subprocess.py", line 1308, in _execute_child

    raise child_exception

OSError: [Errno 2] No such file or directory
```

So I've added: 

```

ln -s /sbin/ss /usr/sbin/ss

ln -s /bin/ip /usr/sbin/ip
```

And got this:

```
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                         [OK]

Openswan U2.6.39/K3.10.17-gentoo (netkey)

See `ipsec --copyright' for copyright information.

Checking for IPsec support in kernel                    [OK]

 NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                    [OK]

         ICMP default/accept_redirects                  [OK]

         XFRM larval drop                               [OK]

Hardware random device check                            [N/A]

Checking rp_filter                                      [OK]

Checking that pluto is running                          [OK]

 Pluto listening for IKE on udp 500                     [OK]

 Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]

 Pluto listening for IKE/NAT-T on udp 4500              [OK]

 Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]

 Pluto listening for IKE on tcp 10000 (cisco)           [NOT IMPLEMENTED]

Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]

Checking 'ip' command                                   [OK]

Checking 'iptables' command                             [OK]
```

----------

## gsra99

I have an unusal problem with Openswan/Libreswan. The result of ipsec verify produces this output:

```
Verifying installed system and configuration files

Version check and ipsec on-path                      [OK]

Libreswan 3.8 (netkey) on 3.10.25-gentoo

Checking for IPsec support in kernel                 [OK]

 NETKEY: Testing XFRM related proc values

         ICMP default/send_redirects                 [OK]

         ICMP default/accept_redirects               [OK]

         XFRM larval drop                            [OK]

Pluto ipsec.conf syntax                              [OK]

Hardware random device                               [N/A]

Two or more interfaces found, checking IP forwarding   [OK]

Checking rp_filter                                   [OK]

Checking that pluto is running                       [OK]

 Pluto listening for IKE on udp 500                  [FAILED]

 Pluto listening for IKE/NAT-T on udp 4500           [DISABLED]

 Pluto ipsec.secret syntax                           [OK]

Checking NAT and MASQUERADEing                       [TEST INCOMPLETE]

Checking 'ip' command                                [OK]

Checking 'iptables' command                          [OK]

Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options             [OK]

Opportunistic Encryption                             [DISABLED]

ipsec verify: encountered 2 errors - see 'man ipsec_verify' for help
```

Even though it seems to think that Pluto is not listening on udp 500, and NAT/T is disabled they are not as I can still connect to the server using ipsec authenication. I do not understand why it produces this error when it clearly does not exist. I was wandering if I have some incorrect setting. I noticed you are getting the correct output from Openswan. Any help would be greatly appreciated.

----------

## gsra99

Solved my own problem. It was because I had not built the kernel module udp_diag which is used by ss for monitoring UDP sockets.

```
Networking support -> Networking options -> UDP: socket monitoring interface
```

----------

