[Openswan Users] /dev/random question

Nick newsgroups at 2thebatcave.com
Wed Nov 23 08:56:59 CET 2005


I tried doing the "ipsec newhostkey" on a machine of mine, and after 30+
minutes it still wasn't finished.

So I told it to use /dev/urandom instead of /dev/random, and it was
finished in a few seconds.

>From what I understand /dev/random can take an extremely long time if it
is a headless box with no hard drive (just a small flash card), which is
all you really need for a VPN router.

Anyway I am wondering if this is going to cause a problem with the normal
operation of openswan.  I don't know if it uses /dev/random in normal
operation, other than generating keys/certs.

I really would like to use /dev/random, but it's not just a problem of
waiting (possibly several hours) once.  This is actually a little distro
that I use for a fair amount of people/customers so I can't effectively
have them all wait some extremely long (and unknown) time for the
keys/certs to generate.  I wish there was a way to speed this up without
using /dev/urandom, but I don't know how.  It looks like the new intel
motherboards (which is what we are using, all new p4/celeron based
systems) don't have the onboard random number generator.  And I don't want
to buy a hardware card just for this.

Ideas/comments?




More information about the Users mailing list