[Openswan Users] Openswan on FC5 64bit
Paul Wouters
paul at xelerance.com
Wed Nov 1 13:20:08 EST 2006
On Wed, 1 Nov 2006, Bill Marcus wrote:
> I'm having trouble installing openswan on a fully up to date install of
> Fedora Core 5's x86_64 distro. When I either:
> install the RPM or run
>
> ipsec newhostkey --output /etc/ipsec.d/local.secrets --bits 2048
>
> the process hangs while generating the key. I have waited 15+ minutes
> with no success. The only possible thing I can find is that if I cat
> /dev/random it sits and doesn't return any data at all.
>
> Has anyone had any experience with this issue?
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209395
Yes. I filed a bug report with RedHat to fix that, and openswan 2.4.7 (now
in rc) explicitely adds some support for their file structure so they
don't have to generate the key on install,. which as you found out, can
be bad.
My guess is that you are using a virtual machine (xen) and therefor you
are severely lacking random. If you have a modern PC, you can try to
install the rngd package, though it is missing a proper initscript, and
it will use potential hardware rng support (some intel cpus and the via)
The problem with xen instances is that most linux entropy/random comes
from the disk, keyboard and mouse interrupts, and xen clients tend to have
none of those (I dont think the virtual disk access generates much), and
on top of that, the xen instance has no access to the hosts' random pool
it seems.
Paul
More information about the Users
mailing list