Sync postinst, rules, and debconf handling with openswan.

1 files changed, 129 insertions, 91 deletions

diff --git a/debian/strongswan-starter.templates b/debian/strongswan-starter.templates
index 8d239c271..a330005a9 100644
--- a/debian/strongswan-starter.templates
+++ b/debian/strongswan-starter.templates
@@ -7,33 +7,27 @@
 # Even minor modifications require translation updates and such
 # changes should be coordinated with translators and reviewers.
 
-Template: strongswan/start_level
-Type: select
-__Choices: earliest, after NFS, after PCMCIA
-Default: earliest
-_Description: When to start strongSwan:
- StrongSwan starts during system startup so that it can protect filesystems
- that are automatically mounted.
- .
-  * earliest: if /usr is not mounted through NFS and you don't use a
-    PCMCIA network card, it is best to start strongSwan as soon as
-    possible, so that NFS mounts can be secured by IPSec;
-  * after NFS: recommended when /usr is mounted through NFS and no
-    PCMCIA network card is used;
-  * after PCMCIA: recommended if the IPSec connection uses a PCMCIA
-    network card or if it needs keys to be fetched from a locally running DNS
-    server with DNSSec support.
+Template: strongswan/runlevel_changes
+Type: note
+_Description: Old runlevel management superseded
+ Previous versions of the strongSwan package allowed the user to choose between
+ three different Start/Stop-Levels. Due to changes in the standard system 
+ startup procedure, this is no longer necessary and useful. For all new
+ installations as well as old ones running in any of the predefined modes,
+ sane default levels set will now be set. If you are upgrading from a previous
+ version and changed your strongSwan startup parameters, then please take a
+ look at NEWS.Debian for instructions on how to modify your setup accordingly.
 
 Template: strongswan/restart
 Type: boolean
 Default: true
-_Description: Restart strongSwan now?
- Restarting strongSwan is recommended, because if there is a security fix, it
- will not be applied until the daemon restarts. However, this might close
- existing connections and then bring them back up.
- .
- If you don't restart strongSwan now, you should do so manually at the first
- opportunity.
+_Description: Do you wish to restart strongSwan?
+ Restarting strongSwan is a good idea, since if there is a security fix, it
+ will not be fixed until the daemon restarts. Most people expect the daemon
+ to restart, so this is generally a good idea. However, this might take down
+ existing connections and then bring them back up (including the connection
+ currently used for this update, so it is recommended not to restart if you
+ are using any of the tunnel for administration).
 
 Template: strongswan/ikev1
 Type: boolean
@@ -49,118 +43,162 @@ _Description: Start strongSwan's IKEv2 daemon?
  The charon daemon must be running to support version 2 of the Internet Key
  Exchange protocol.
 
-Template: strongswan/create_rsa_key
+Template: strongswan/install_x509_certificate
 Type: boolean
-Default: true
-_Description: Create an RSA public/private keypair for this host?
- StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate
- IPSec connections to other hosts. RSA authentication is generally considered
- more secure and is easier to administer. You can use PSK and RSA authentication
- simultaneously.
+Default: false
+_Description: Do you want to use a X509 certificate for this host?
+ This installer can automatically create or import a X509 certificate for
+ this host. It can be used to authenticate IPsec connections to other hosts
+ and is the preferred way for building up secure IPsec connections. The other
+ possibility would be to use shared secrets (passwords that are the same on
+ both sides of the tunnel) for authenticating an connection, but for a larger
+ number of connections, key based authentication is easier to administer and
+ more secure.
  .
- If you do not want to create a new public/private keypair, you can choose to
- use an existing one in the next step.
+ If you do not want to this now you can answer "No" and later use the command
+ "dpkg-reconfigure openswan" to come back.
 
-Template: strongswan/existing_x509_certificate
-Type: boolean
-Default: false
-_Description: Use an existing X.509 certificate for strongSwan?
- The required information can automatically be extracted from an
- existing X.509 certificate with a matching RSA private key. Both parts can
- be in one file, if it is in PEM format.
- You should choose this option if you have such an existing
- certificate and key file and want to use it for authenticating IPSec
- connections.
+Template: strongswan/how_to_get_x509_certificate
+Type: select
+__Choices: create, import
+Default: create
+_Description: Methods for using a X509 certificate to authenticate this host:
+ It is possible to create a new X509 certificate with user-defined settings
+ or to import an existing public and private key stored in PEM file(s) for
+ authenticating IPsec connections.
+ .
+ If you choose to create a new X509 certificate you will first be presented
+ a number of questions which must be answered before the creation can start.
+ Please keep in mind that if you want the public key to get signed by
+ an existing certification authority you should not select to create a
+ self-signed certificate and all the answers given must match exactly the
+ requirements of the CA, otherwise the certificate request may be rejected.
+ .
+ In case you want to import an existing public and private key you will be
+ prompted for their filenames (may be identical if both parts are stored 
+ together in one file). Optionally you may also specify a filename where the
+ public key(s) of the certification authority are kept, but this file cannot 
+ be the same as the former ones. Please be also aware that the format for the
+ X509 certificates has to be PEM and that the private key must not be encrypted 
+ or the import procedure will fail.
 
 Template: strongswan/existing_x509_certificate_filename
 Type: string
-_Description: File name of your X.509 certificate in PEM format:
- Please enter the full location of the file containing your X.509
- certificate in PEM format.
+_Description: Please enter the location of your X509 certificate in PEM format:
+ Please enter the location of the file containing your X509 certificate in
+ PEM format.
 
 Template: strongswan/existing_x509_key_filename
 Type: string
-_Description: File name of your existing X.509 private key in PEM format:
- Please enter the full location of the file containing the private RSA key
- matching your X.509 certificate in PEM format. This can be the same file
- as the X.509 certificate.
+_Description: Please enter the location of your X509 private key in PEM format:
+ Please enter the location of the file containing the private RSA key
+ matching your X509 certificate in PEM format. This can be the same file
+ that contains the X509 certificate.
+
+Template: strongswan/existing_x509_rootca_filename
+Type: string
+_Description: You may now enter the location of your X509 RootCA in PEM format:
+ Optionally you can now enter the location of the file containing the X509
+ certificate authority root used to sign your certificate in PEM format. If you
+ do not have one or do not want to use it please leave the field empty. Please
+ note that it's not possible to store the RootCA in the same file as your X509
+ certificate or private key.
 
 Template: strongswan/rsa_key_length
 Type: string
 Default: 2048
-_Description: RSA key length:
- Please enter the length of RSA key you wish to generate. A value of less than
- 1024 bits is not considered secure. A value of more than 2048 bits will
- probably affect performance.
+_Description: Please enter which length the created RSA key should have:
+ Please enter the length of the created RSA key. it should not be less than
+ 1024 bits because this should be considered unsecure and you will probably
+ not need anything more than 4096 bits because it only slows the
+ authentication process down and is not needed at the moment.
 
 Template: strongswan/x509_self_signed
 Type: boolean
 Default: true
-_Description: Create a self-signed X.509 certificate?
- Only self-signed X.509 certificates can be created
+_Description: Do you want to create a self-signed X509 certificate?
+ This installer can only create self-signed X509 certificates
  automatically, because otherwise a certificate authority is needed to sign
- the certificate request.
+ the certificate request. If you want to create a self-signed certificate,
+ you can use it immediately to connect to other IPsec hosts that support
+ X509 certificate for authentication of IPsec connections. However, if you
+ want to use the new PKI features of strongSwan >= 1.91, you will need to
+ have all X509 certificates signed by a single certificate authority to
+ create a trust path.
  .
- If you accept this option, the certificate created can be used
- immediately to connect to other IPSec hosts that support authentication via
- an X.509 certificate. However, using strongSwan's PKI features requires a
- trust path to be created by having all X.509 certificates signed by a single
+ If you do not want to create a self-signed certificate, then this
+ installer will only create the RSA private key and the certificate request
+ and you will have to sign the certificate request with your certificate
  authority.
- .
- If you do not accept this option, only the RSA private key will be created,
- along with a certificate request which you will need to have signed by a
- certificate authority.
 
 Template: strongswan/x509_country_code
 Type: string
 Default: AT
-_Description: Country code for the X.509 certificate request:
- Please enter the two-letter ISO3166 country code that should be
- used in the certificate request.
+_Description: Please enter the country code for the X509 certificate request:
+ Please enter the 2 letter country code for your country. This code will be
+ placed in the certificate request.
+ .
+ You really need to enter a valid country code here, because openssl will
+ refuse to generate certificates without one. An empty field is allowed for
+ any other field of the X.509 certificate, but not for this one.
  .
- This field is mandatory; otherwise a certificate cannot be generated.
+ Example: AT
 
 Template: strongswan/x509_state_name
 Type: string
 Default:
-_Description: State or province name for the X.509 certificate request:
- Please enter the full name of the state or province to include in
- the certificate request.
+_Description: Please enter the state or province name for the X509 certificate request:
+ Please enter the full name of the state or province you live in. This name
+ will be placed in the certificate request.
+ .
+ Example: Upper Austria
 
 Template: strongswan/x509_locality_name
 Type: string
-Default: 
-_Description: Locality name for the X.509 certificate request:
- Please enter the locality name (often a city)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the locality name for the X509 certificate request:
+ Please enter the locality (e.g. city) where you live. This name will be
+ placed in the certificate request.
+ .
+ Example: Vienna
 
 Template: strongswan/x509_organization_name
 Type: string
-Default: 
-_Description: Organization name for the X.509 certificate request:
- Please enter the organization name (often a company)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the organization name for the X509 certificate request:
+ Please enter the organization (e.g. company) that the X509 certificate
+ should be created for. This name will be placed in the certificate
+ request.
+ .
+ Example: Debian
 
 Template: strongswan/x509_organizational_unit
 Type: string
-Default: 
-_Description: Organizational unit for the X.509 certificate request:
- Please enter the organizational unit name (often a department)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the organizational unit for the X509 certificate request:
+ Please enter the organizational unit (e.g. section) that the X509
+ certificate should be created for. This name will be placed in the
+ certificate request.
+ .
+ Example: security group
 
 Template: strongswan/x509_common_name
 Type: string
-Default: 
-_Description: Common name for the X.509 certificate request:
- Please enter the common name (such as the host name of this machine)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the common name for the X509 certificate request:
+ Please enter the common name (e.g. the host name of this machine) for
+ which the X509 certificate should be created for. This name will be placed
+ in the certificate request.
+ .
+ Example: gateway.debian.org
 
 Template: strongswan/x509_email_address
 Type: string
-Default: 
-_Description: Email address for the X.509 certificate request:
- Please enter the email address (for the individual or organization responsible)
- that should be used in the certificate request.
+Default:
+_Description: Please enter the email address for the X509 certificate request:
+ Please enter the email address of the person or organization who is
+ responsible for the X509 certificate, This address will be placed in the
+ certificate request.
 
 Template: strongswan/enable-oe
 Type: boolean