Fw: [Openswan Users]

Paul Wouters paul at xelerance.com
Thu Apr 20 07:01:54 CEST 2006

On Thu, 20 Apr 2006, Gbenga wrote:

> I recompiled the kernel again, this time with kernel 2.6.16 and enabled CONFIG_IPSEC_NAT_TRAVERSAL=y and CONFIG_KLIPS=m.
> This compiled ok and I was able to compile and install user-land: modprobe ipsec  (ok)
> However, when I ran ipsec verify, NAT Traversal support failed ??
> aparo:/home/osogbetun# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan 2.4.5 (klips)
> Checking for IPsec support in kernel                            [OK]
> KLIPS detected, checking for NAT Traversal support              [FAILED]

This check is most certainly wrong. The code for creating the proc file
by the nat-t patch seems to be missing from the 2.4 branch. So ignore this
error for now.

> Also, how long does it take to for ipsec newhostkey takes to generate a key? Or what is the best way to generate keys for ipsec.secrets file?

That completely depends on the amount of entropy (and thus available random)
in your system. On normal systems, it should return within 1-5 seconds. On
embedded systems, this could take ages, especially if they have no disk io
and mouse/keyboard io (which in linux generates entropy). If it has a disk,
starting something like "find / -type f | xargs grep FOOBAR > /dev/null &"
and then creating the ipsec.secrets file could help. Don't forget to kill the
find process when done.
On VIA systems with the PadLock, /dev/hw_random is automatically used. This
random device is extremely fast, and can generate about 3 1024bit RSA keys per
second on my VIA Nehemiah (1199.959 mhz)

You can generate the ipsec.secrets file on a normal linux machinr and then
copy the file. Please do NOT be tempted to use /dev/urandom, since that random
is not strong enough for long term RSA keys.


More information about the Users mailing list