summaryrefslogtreecommitdiff
path: root/debian/strongswan.templates.master
diff options
context:
space:
mode:
Diffstat (limited to 'debian/strongswan.templates.master')
-rw-r--r--debian/strongswan.templates.master221
1 files changed, 0 insertions, 221 deletions
diff --git a/debian/strongswan.templates.master b/debian/strongswan.templates.master
deleted file mode 100644
index 3fac9039e..000000000
--- a/debian/strongswan.templates.master
+++ /dev/null
@@ -1,221 +0,0 @@
-Template: strongswan/start_level
-Type: select
-_Choices: earliest, "after NFS", "after PCMCIA"
-Default: earliest
-_Description: When to start strongSwan:
- There are three possibilities when strongSwan can start: before or
- after the NFS services and after the PCMCIA services. The correct answer
- depends on your specific setup.
- .
- If you do not have your /usr tree mounted via NFS (either you only mount
- other, less vital trees via NFS or don't use NFS mounted trees at all) and
- don't use a PCMCIA network card, then it's best to start strongSwan at
- the earliest possible time, thus allowing the NFS mounts to be secured by
- IPSec. In this case (or if you don't understand or care about this
- issue), answer "earliest" to this question (the default).
- .
- If you have your /usr tree mounted via NFS and don't use a PCMCIA network
- card, then you will need to start strongSwan after NFS so that all
- necessary files are available. In this case, answer "after NFS" to this
- question. Please note that the NFS mount of /usr can not be secured by
- IPSec in this case.
- .
- If you use a PCMCIA network card for your IPSec connections, then you only
- have to choose to start it after the PCMCIA services. Answer "after
- PCMCIA" in this case. This is also the correct answer if you want to fetch
- keys from a locally running DNS server with DNSSec support.
-
-Template: strongswan/restart
-Type: boolean
-Default: true
-_Description: Do you wish to restart strongSwan?
- Restarting strongSwan is a good idea, since if there is a security fix, it
- will not be fixed until the daemon restarts. Most people expect the daemon
- to restart, so this is generally a good idea. However this might take down
- existing connections and then bring them back up.
-
-Template: strongswan/ikev1
-Type: boolean
-Default: true
-_Description: Do you wish to support IKEv1?
- strongSwan supports both versions of the Internet Key Exchange protocol,
- IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support
- when strongSwan is started?
-
-Template: strongswan/ikev2
-Type: boolean
-Default: true
-_Description: Do you wish to support IKEv2?
- strongSwan supports both versions of the Internet Key Exchange protocol,
- IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support
- when strongSwan is started?
-
-Template: strongswan/create_rsa_key
-Type: boolean
-Default: true
-_Description: Do you want to create a RSA public/private keypair for this host?
- This installer can automatically create a RSA public/private keypair for
- this host. This keypair can be used to authenticate IPSec connections to
- other hosts and is the preferred way for building up secure IPSec
- connections. The other possibility would be to use shared secrets
- (passwords that are the same on both sides of the tunnel) for
- authenticating an connection, but for a larger number of connections RSA
- authentication is easier to administer and more secure.
- .
- If you do not want to create a new public/private keypair, you can choose to
- use an existing one.
-
-Template: strongswan/rsa_key_type
-Type: select
-_Choices: x509, plain
-Default: x509
-_Description: The type of RSA keypair to create:
- It is possible to create a plain RSA public/private keypair for use
- with strongSwan or to create a X509 certificate file which contains the RSA
- public key and additionally stores the corresponding private key.
- .
- If you only want to build up IPSec connections to hosts also running
- strongSwan, it might be a bit easier using plain RSA keypairs. But if you
- want to connect to other IPSec implementations, you will need a X509
- certificate. It is also possible to create a X509 certificate here and
- extract the RSA public key in plain format if the other side runs
- strongSwan without X509 certificate support.
- .
- Therefore a X509 certificate is recommended since it is more flexible and
- this installer should be able to hide the complex creation of the X509
- certificate and its use in strongSwan anyway.
-
-Template: strongswan/existing_x509_certificate
-Type: boolean
-Default: false
-_Description: Do you have an existing X509 certificate file for strongSwan?
- This installer can automatically extract the needed information from an
- existing X509 certificate with a matching RSA private key. Both parts can
- be in one file, if it is in PEM format. If you have such an existing
- certificate and key file and want to use it for authenticating IPSec
- connections, then please answer yes.
-
-Template: strongswan/existing_x509_certificate_filename
-Type: string
-_Description: File name of your X509 certificate in PEM format:
- Please enter the full location of the file containing your X509
- certificate in PEM format.
-
-Template: strongswan/existing_x509_key_filename
-Type: string
-_Description: File name of your X509 private key in PEM format:
- Please enter the full location of the file containing the private RSA key
- matching your X509 certificate in PEM format. This can be the same file
- that contains the X509 certificate.
-
-Template: strongswan/rsa_key_length
-Type: string
-Default: 2048
-_Description: The length of the created RSA key (in bits):
- Please enter the length of the created RSA key. It should not be less than
- 1024 bits because this should be considered unsecure and you will probably
- not need anything more than 2048 bits because it only slows the
- authentication process down and is not needed at the moment.
-
-Template: strongswan/x509_self_signed
-Type: boolean
-Default: true
-_Description: Do you want to create a self-signed X509 certificate?
- This installer can only create self-signed X509 certificates
- automatically, because otherwise a certificate authority is needed to sign
- the certificate request. If you want to create a self-signed certificate,
- you can use it immediately to connect to other IPSec hosts that support
- X509 certificate for authentication of IPSec connections. However, if you
- want to use the new PKI features of strongSwan >= 1.91, you will need to
- have all X509 certificates signed by a single certificate authority to
- create a trust path.
- .
- If you do not want to create a self-signed certificate, then this
- installer will only create the RSA private key and the certificate request
- and you will have to get the certificate request signed by your certificate
- authority.
-
-Template: strongswan/x509_country_code
-Type: string
-Default: AT
-_Description: Country code for the X509 certificate request:
- Please enter the 2 letter country code for your country. This code will be
- placed in the certificate request.
- .
- You really need to enter a valid country code here, because openssl will
- refuse to generate certificates without one. An empty field is allowed for
- any other field of the X.509 certificate, but not for this one.
- .
- Example: AT
-
-Template: strongswan/x509_state_name
-Type: string
-Default:
-_Description: State or province name for the X509 certificate request:
- Please enter the full name of the state or province you live in. This name
- will be placed in the certificate request.
- .
- Example: Upper Austria
-
-Template: strongswan/x509_locality_name
-Type: string
-Default:
-_Description: Locality name for the X509 certificate request:
- Please enter the locality (e.g. city) where you live. This name will be
- placed in the certificate request.
- .
- Example: Vienna
-
-Template: strongswan/x509_organization_name
-Type: string
-Default:
-_Description: Organization name for the X509 certificate request:
- Please enter the organization (e.g. company) that the X509 certificate
- should be created for. This name will be placed in the certificate
- request.
- .
- Example: Debian
-
-Template: strongswan/x509_organizational_unit
-Type: string
-Default:
-_Description: Organizational unit for the X509 certificate request:
- Please enter the organizational unit (e.g. section) that the X509
- certificate should be created for. This name will be placed in the
- certificate request.
- .
- Example: security group
-
-Template: strongswan/x509_common_name
-Type: string
-Default:
-_Description: Common name for the X509 certificate request:
- Please enter the common name (e.g. the host name of this machine) for
- which the X509 certificate should be created for. This name will be placed
- in the certificate request.
- .
- Example: gateway.debian.org
-
-Template: strongswan/x509_email_address
-Type: string
-Default:
-_Description: Email address for the X509 certificate request:
- Please enter the email address of the person or organization who is
- responsible for the X509 certificate, This address will be placed in the
- certificate request.
-
-Template: strongswan/enable-oe
-Type: boolean
-Default: false
-_Description: Do you wish to enable opportunistic encryption in strongSwan?
- strongSwan comes with support for opportunistic encryption (OE), which stores
- IPSec authentication information (i.e. RSA public keys) in (preferably
- secure) DNS records. Until this is widely deployed, activating it will
- cause a significant slow-down for every new, outgoing connection. Since
- version 2.0, strongSwan upstream comes with OE enabled by default and is thus
- likely to break your existing connection to the Internet (i.e. your default
- route) as soon as pluto (the strongSwan keying daemon) is started.
- .
- Please choose whether you want to enable support for OE. If unsure, do not
- enable it.
-