diff options
Diffstat (limited to 'debian/strongswan-starter.templates')
| -rw-r--r-- | debian/strongswan-starter.templates | 186 |
1 files changed, 186 insertions, 0 deletions
diff --git a/debian/strongswan-starter.templates b/debian/strongswan-starter.templates new file mode 100644 index 000000000..a54581e8a --- /dev/null +++ b/debian/strongswan-starter.templates @@ -0,0 +1,186 @@ +# These templates have been reviewed by the debian-l10n-english +# team +# +# If modifications/additions/rewording are needed, please ask +# debian-l10n-english@lists.debian.org for advice. +# +# Even minor modifications require translation updates and such +# changes should be coordinated with translators and reviewers. + +Template: strongswan/runlevel_changes +Type: note +_Description: Old runlevel management superseded + Previous versions of the strongSwan package gave a choice between + three different Start/Stop-Levels. Due to changes in the standard system + startup procedure, this is no longer necessary or useful. For all new + installations as well as old ones running in any of the predefined modes, + sane default levels will now be set. If you are upgrading from a previous + version and changed your strongSwan startup parameters, then please take a + look at NEWS.Debian for instructions on how to modify your setup accordingly. + +Template: strongswan/restart +Type: boolean +Default: true +_Description: Restart strongSwan now? + Restarting strongSwan is recommended, since if there is a security fix, it + will not be applied until the daemon restarts. Most people expect the daemon + to restart, so this is generally a good idea. However, this might take down + existing connections and then bring them back up, so if you are using such + a strongSwan tunnel to connect for this update, restarting is not recommended. + +Template: strongswan/charon +Type: boolean +Default: true +_Description: Start strongSwan's charon daemon? + The charon daemon must be running to support the Internet Key + Exchange protocol. + +Template: strongswan/install_x509_certificate +Type: boolean +Default: false +_Description: Use an X.509 certificate for this host? + An X.509 certificate for this host can be automatically created or imported. + It can be used to authenticate IPsec connections to other hosts + and is the preferred way of building up secure IPsec connections. The other + possibility would be to use shared secrets (passwords that are the same on + both sides of the tunnel) for authenticating a connection, but for a larger + number of connections, key based authentication is easier to administer and + more secure. + . + Alternatively you can reject this option and later use the command + "dpkg-reconfigure strongswan" to come back. + +Template: strongswan/how_to_get_x509_certificate +Type: select +__Choices: create, import +Default: create +_Description: Methods for using a X.509 certificate to authenticate this host: + It is possible to create a new X.509 certificate with user-defined settings + or to import an existing public and private key stored in PEM file(s) for + authenticating IPsec connections. + . + If you choose to create a new X.509 certificate you will first be asked + a number of questions which must be answered before the creation can start. + Please keep in mind that if you want the public key to get signed by + an existing Certificate Authority you should not select to create a + self-signed certificate and all the answers given must match exactly the + requirements of the CA, otherwise the certificate request may be rejected. + . + If you want to import an existing public and private key you will be + prompted for their filenames (which may be identical if both parts are stored + together in one file). Optionally you may also specify a filename where the + public key(s) of the Certificate Authority are kept, but this file cannot + be the same as the former ones. Please also be aware that the format for the + X.509 certificates has to be PEM and that the private key must not be encrypted + or the import procedure will fail. + +Template: strongswan/existing_x509_certificate_filename +Type: string +_Description: File name of your PEM format X.509 certificate: + Please enter the location of the file containing your X.509 certificate in + PEM format. + +Template: strongswan/existing_x509_key_filename +Type: string +_Description: File name of your PEM format X.509 private key: + Please enter the location of the file containing the private RSA key + matching your X.509 certificate in PEM format. This can be the same file + that contains the X.509 certificate. + +Template: strongswan/existing_x509_rootca_filename +Type: string +_Description: File name of your PEM format X.509 RootCA: + Optionally you can now enter the location of the file containing the X.509 + Certificate Authority root used to sign your certificate in PEM format. If you + do not have one or do not want to use it please leave the field empty. Please + note that it's not possible to store the RootCA in the same file as your X.509 + certificate or private key. + +Template: strongswan/rsa_key_length +Type: string +Default: 2048 +_Description: Please enter which length the created RSA key should have: + Please enter the length of the created RSA key. It should not be less than + 1024 bits because this should be considered unsecure and you will probably + not need anything more than 4096 bits because it only slows the + authentication process down and is not needed at the moment. + +Template: strongswan/x509_self_signed +Type: boolean +Default: true +_Description: Create a self-signed X.509 certificate? + Only self-signed X.509 certificates can be created + automatically, because otherwise a Certificate Authority is needed to sign + the certificate request. If you choose to create a self-signed certificate, + you can use it immediately to connect to other IPsec hosts that support + X.509 certificate for authentication of IPsec connections. However, using + strongSwan's PKI features requires all certificates to be signed by a single + Certificate Authority to create a trust path. + . + If you do not choose to create a self-signed certificate, only the RSA + private key and the certificate request will be created, and you will + have to sign the certificate request with your Certificate Authority. + +Template: strongswan/x509_country_code +Type: string +Default: AT +_Description: Country code for the X.509 certificate request: + Please enter the two-letter code for the country the server resides in + (such as "AT" for Austria). + . + OpenSSL will refuse to generate a certificate unless this is a valid + ISO-3166 country code; an empty field is allowed elsewhere in the X.509 + certificate, but not here. + +Template: strongswan/x509_state_name +Type: string +Default: +_Description: State or province name for the X.509 certificate request: + Please enter the full name of the state or province the server resides in + (such as "Upper Austria"). + +Template: strongswan/x509_locality_name +Type: string +Default: +_Description: Locality name for the X.509 certificate request: + Please enter the locality the server resides in (often a city, such + as "Vienna"). + +Template: strongswan/x509_organization_name +Type: string +Default: +_Description: Organization name for the X.509 certificate request: + Please enter the organization the server belongs to (such as "Debian"). + +Template: strongswan/x509_organizational_unit +Type: string +Default: +_Description: Organizational unit for the X.509 certificate request: + Please enter the organizational unit the server belongs to (such as + "security group"). + +Template: strongswan/x509_common_name +Type: string +Default: +_Description: Common Name for the X.509 certificate request: + Please enter the Common Name for this host (such as + "gateway.example.org"). + +Template: strongswan/x509_email_address +Type: string +Default: +_Description: Email address for the X.509 certificate request: + Please enter the email address of the person or organization + responsible for the X.509 certificate. + +Template: strongswan/enable-oe +Type: boolean +Default: false +_Description: Enable opportunistic encryption? + This version of strongSwan supports opportunistic encryption (OE), which stores + IPSec authentication information in + DNS records. Until this is widely deployed, activating it will + cause a significant delay for every new outgoing connection. + . + You should only enable opportunistic encryption if you are sure you want it. + It may break the Internet connection (default route) as the daemon starts. |