[Openswan Users] Rsasigkey problem

Paul Wouters paul at xelerance.com
Mon Nov 20 12:30:01 EST 2006

On Mon, 20 Nov 2006, conn intel wrote:

> I am using Linux Openswan 2.4.6 (klips) as module. Now I am trying to
> generate rsakeys using following command ::
> ipsec rsasigkey 512 > key.txt

The proper way is to do: ipsec newhostkey --outpt /etc/ipsec.secrets

> Now on it took a long time if i change from 512 to 1024 and more even with
> 2048. According to you which value is enough ?.

1024 or 2048.

> And i think when i was using native openswan it took less time, can you
> please clear my doubt ?

The IPsec stack is not used for key creation. It solely depends on the
amount of entropy on your system (ok and a bit of cpu).

> Any other way to get it done fast ??

The fastest way is to buy a VIA CPU with PadLock. Their hardware random number
generator leaves everyone else (including Intel and AMD) in shame:

[root at dnssigner ~]# cat /proc/cpuinfo
processor       : 0
vendor_id       : CentaurHauls
cpu family      : 6
model           : 9
model name      : VIA Nehemiah
stepping        : 8
cpu MHz         : 1199.924

Make sure to have the proper hardware rng driver loaded (padlock.ko or
intel_rng.ko or amd_rng.ko) and to be running rngd with the line:

rngd -r /dev/hw_random -o /dev/random

(fedora rpms do not yet start rngd, bug has been filed for this)

then you'll see:

# time ipsec newhostkey --bits 2048 --output /tmp/delme

real    0m8.541s
user    0m8.333s
sys     0m0.032s

That's 8 seconds to generate a 2048 bit RSA key.

You can generate all yout ipsec.secrets files on one machine, and copy
them over, if the target machine is embedded and has practically no

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list