diff options
Diffstat (limited to 'debian/strongswan.templates.master')
-rw-r--r-- | debian/strongswan.templates.master | 221 |
1 files changed, 0 insertions, 221 deletions
diff --git a/debian/strongswan.templates.master b/debian/strongswan.templates.master deleted file mode 100644 index 3fac9039e..000000000 --- a/debian/strongswan.templates.master +++ /dev/null @@ -1,221 +0,0 @@ -Template: strongswan/start_level -Type: select -_Choices: earliest, "after NFS", "after PCMCIA" -Default: earliest -_Description: When to start strongSwan: - There are three possibilities when strongSwan can start: before or - after the NFS services and after the PCMCIA services. The correct answer - depends on your specific setup. - . - If you do not have your /usr tree mounted via NFS (either you only mount - other, less vital trees via NFS or don't use NFS mounted trees at all) and - don't use a PCMCIA network card, then it's best to start strongSwan at - the earliest possible time, thus allowing the NFS mounts to be secured by - IPSec. In this case (or if you don't understand or care about this - issue), answer "earliest" to this question (the default). - . - If you have your /usr tree mounted via NFS and don't use a PCMCIA network - card, then you will need to start strongSwan after NFS so that all - necessary files are available. In this case, answer "after NFS" to this - question. Please note that the NFS mount of /usr can not be secured by - IPSec in this case. - . - If you use a PCMCIA network card for your IPSec connections, then you only - have to choose to start it after the PCMCIA services. Answer "after - PCMCIA" in this case. This is also the correct answer if you want to fetch - keys from a locally running DNS server with DNSSec support. - -Template: strongswan/restart -Type: boolean -Default: true -_Description: Do you wish to restart strongSwan? - Restarting strongSwan is a good idea, since if there is a security fix, it - will not be fixed until the daemon restarts. Most people expect the daemon - to restart, so this is generally a good idea. However this might take down - existing connections and then bring them back up. - -Template: strongswan/ikev1 -Type: boolean -Default: true -_Description: Do you wish to support IKEv1? - strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support - when strongSwan is started? - -Template: strongswan/ikev2 -Type: boolean -Default: true -_Description: Do you wish to support IKEv2? - strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support - when strongSwan is started? - -Template: strongswan/create_rsa_key -Type: boolean -Default: true -_Description: Do you want to create a RSA public/private keypair for this host? - This installer can automatically create a RSA public/private keypair for - this host. This keypair can be used to authenticate IPSec connections to - other hosts and is the preferred way for building up secure IPSec - connections. The other possibility would be to use shared secrets - (passwords that are the same on both sides of the tunnel) for - authenticating an connection, but for a larger number of connections RSA - authentication is easier to administer and more secure. - . - If you do not want to create a new public/private keypair, you can choose to - use an existing one. - -Template: strongswan/rsa_key_type -Type: select -_Choices: x509, plain -Default: x509 -_Description: The type of RSA keypair to create: - It is possible to create a plain RSA public/private keypair for use - with strongSwan or to create a X509 certificate file which contains the RSA - public key and additionally stores the corresponding private key. - . - If you only want to build up IPSec connections to hosts also running - strongSwan, it might be a bit easier using plain RSA keypairs. But if you - want to connect to other IPSec implementations, you will need a X509 - certificate. It is also possible to create a X509 certificate here and - extract the RSA public key in plain format if the other side runs - strongSwan without X509 certificate support. - . - Therefore a X509 certificate is recommended since it is more flexible and - this installer should be able to hide the complex creation of the X509 - certificate and its use in strongSwan anyway. - -Template: strongswan/existing_x509_certificate -Type: boolean -Default: false -_Description: Do you have an existing X509 certificate file for strongSwan? - This installer can automatically extract the needed information from an - existing X509 certificate with a matching RSA private key. Both parts can - be in one file, if it is in PEM format. If you have such an existing - certificate and key file and want to use it for authenticating IPSec - connections, then please answer yes. - -Template: strongswan/existing_x509_certificate_filename -Type: string -_Description: File name of your X509 certificate in PEM format: - Please enter the full location of the file containing your X509 - certificate in PEM format. - -Template: strongswan/existing_x509_key_filename -Type: string -_Description: File name of your X509 private key in PEM format: - Please enter the full location of the file containing the private RSA key - matching your X509 certificate in PEM format. This can be the same file - that contains the X509 certificate. - -Template: strongswan/rsa_key_length -Type: string -Default: 2048 -_Description: The length of the created RSA key (in bits): - Please enter the length of the created RSA key. It should not be less than - 1024 bits because this should be considered unsecure and you will probably - not need anything more than 2048 bits because it only slows the - authentication process down and is not needed at the moment. - -Template: strongswan/x509_self_signed -Type: boolean -Default: true -_Description: Do you want to create a self-signed X509 certificate? - This installer can only create self-signed X509 certificates - automatically, because otherwise a certificate authority is needed to sign - the certificate request. If you want to create a self-signed certificate, - you can use it immediately to connect to other IPSec hosts that support - X509 certificate for authentication of IPSec connections. However, if you - want to use the new PKI features of strongSwan >= 1.91, you will need to - have all X509 certificates signed by a single certificate authority to - create a trust path. - . - If you do not want to create a self-signed certificate, then this - installer will only create the RSA private key and the certificate request - and you will have to get the certificate request signed by your certificate - authority. - -Template: strongswan/x509_country_code -Type: string -Default: AT -_Description: Country code for the X509 certificate request: - Please enter the 2 letter country code for your country. This code will be - placed in the certificate request. - . - You really need to enter a valid country code here, because openssl will - refuse to generate certificates without one. An empty field is allowed for - any other field of the X.509 certificate, but not for this one. - . - Example: AT - -Template: strongswan/x509_state_name -Type: string -Default: -_Description: State or province name for the X509 certificate request: - Please enter the full name of the state or province you live in. This name - will be placed in the certificate request. - . - Example: Upper Austria - -Template: strongswan/x509_locality_name -Type: string -Default: -_Description: Locality name for the X509 certificate request: - Please enter the locality (e.g. city) where you live. This name will be - placed in the certificate request. - . - Example: Vienna - -Template: strongswan/x509_organization_name -Type: string -Default: -_Description: Organization name for the X509 certificate request: - Please enter the organization (e.g. company) that the X509 certificate - should be created for. This name will be placed in the certificate - request. - . - Example: Debian - -Template: strongswan/x509_organizational_unit -Type: string -Default: -_Description: Organizational unit for the X509 certificate request: - Please enter the organizational unit (e.g. section) that the X509 - certificate should be created for. This name will be placed in the - certificate request. - . - Example: security group - -Template: strongswan/x509_common_name -Type: string -Default: -_Description: Common name for the X509 certificate request: - Please enter the common name (e.g. the host name of this machine) for - which the X509 certificate should be created for. This name will be placed - in the certificate request. - . - Example: gateway.debian.org - -Template: strongswan/x509_email_address -Type: string -Default: -_Description: Email address for the X509 certificate request: - Please enter the email address of the person or organization who is - responsible for the X509 certificate, This address will be placed in the - certificate request. - -Template: strongswan/enable-oe -Type: boolean -Default: false -_Description: Do you wish to enable opportunistic encryption in strongSwan? - strongSwan comes with support for opportunistic encryption (OE), which stores - IPSec authentication information (i.e. RSA public keys) in (preferably - secure) DNS records. Until this is widely deployed, activating it will - cause a significant slow-down for every new, outgoing connection. Since - version 2.0, strongSwan upstream comes with OE enabled by default and is thus - likely to break your existing connection to the Internet (i.e. your default - route) as soon as pluto (the strongSwan keying daemon) is started. - . - Please choose whether you want to enable support for OE. If unsure, do not - enable it. - |