From 8a52bd382213e88076970863212f8acfe16017f4 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Fri, 2 Nov 2007 23:49:33 +0000 Subject: - Need to name the master file the .templates again. dh_installdebconf will do the right thing and merge translations. --- debian/strongswan.templates | 221 +++++++++++++++++++++++++++++++++++++ debian/strongswan.templates.master | 221 ------------------------------------- 2 files changed, 221 insertions(+), 221 deletions(-) create mode 100644 debian/strongswan.templates delete mode 100644 debian/strongswan.templates.master diff --git a/debian/strongswan.templates b/debian/strongswan.templates new file mode 100644 index 000000000..3fac9039e --- /dev/null +++ b/debian/strongswan.templates @@ -0,0 +1,221 @@ +Template: strongswan/start_level +Type: select +_Choices: earliest, "after NFS", "after PCMCIA" +Default: earliest +_Description: When to start strongSwan: + There are three possibilities when strongSwan can start: before or + after the NFS services and after the PCMCIA services. The correct answer + depends on your specific setup. + . + If you do not have your /usr tree mounted via NFS (either you only mount + other, less vital trees via NFS or don't use NFS mounted trees at all) and + don't use a PCMCIA network card, then it's best to start strongSwan at + the earliest possible time, thus allowing the NFS mounts to be secured by + IPSec. In this case (or if you don't understand or care about this + issue), answer "earliest" to this question (the default). + . + If you have your /usr tree mounted via NFS and don't use a PCMCIA network + card, then you will need to start strongSwan after NFS so that all + necessary files are available. In this case, answer "after NFS" to this + question. Please note that the NFS mount of /usr can not be secured by + IPSec in this case. + . + If you use a PCMCIA network card for your IPSec connections, then you only + have to choose to start it after the PCMCIA services. Answer "after + PCMCIA" in this case. This is also the correct answer if you want to fetch + keys from a locally running DNS server with DNSSec support. + +Template: strongswan/restart +Type: boolean +Default: true +_Description: Do you wish to restart strongSwan? + Restarting strongSwan is a good idea, since if there is a security fix, it + will not be fixed until the daemon restarts. Most people expect the daemon + to restart, so this is generally a good idea. However this might take down + existing connections and then bring them back up. + +Template: strongswan/ikev1 +Type: boolean +Default: true +_Description: Do you wish to support IKEv1? + strongSwan supports both versions of the Internet Key Exchange protocol, + IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support + when strongSwan is started? + +Template: strongswan/ikev2 +Type: boolean +Default: true +_Description: Do you wish to support IKEv2? + strongSwan supports both versions of the Internet Key Exchange protocol, + IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support + when strongSwan is started? + +Template: strongswan/create_rsa_key +Type: boolean +Default: true +_Description: Do you want to create a RSA public/private keypair for this host? + This installer can automatically create a RSA public/private keypair for + this host. This keypair can be used to authenticate IPSec connections to + other hosts and is the preferred way for building up secure IPSec + connections. The other possibility would be to use shared secrets + (passwords that are the same on both sides of the tunnel) for + authenticating an connection, but for a larger number of connections RSA + authentication is easier to administer and more secure. + . + If you do not want to create a new public/private keypair, you can choose to + use an existing one. + +Template: strongswan/rsa_key_type +Type: select +_Choices: x509, plain +Default: x509 +_Description: The type of RSA keypair to create: + It is possible to create a plain RSA public/private keypair for use + with strongSwan or to create a X509 certificate file which contains the RSA + public key and additionally stores the corresponding private key. + . + If you only want to build up IPSec connections to hosts also running + strongSwan, it might be a bit easier using plain RSA keypairs. But if you + want to connect to other IPSec implementations, you will need a X509 + certificate. It is also possible to create a X509 certificate here and + extract the RSA public key in plain format if the other side runs + strongSwan without X509 certificate support. + . + Therefore a X509 certificate is recommended since it is more flexible and + this installer should be able to hide the complex creation of the X509 + certificate and its use in strongSwan anyway. + +Template: strongswan/existing_x509_certificate +Type: boolean +Default: false +_Description: Do you have an existing X509 certificate file for strongSwan? + This installer can automatically extract the needed information from an + existing X509 certificate with a matching RSA private key. Both parts can + be in one file, if it is in PEM format. If you have such an existing + certificate and key file and want to use it for authenticating IPSec + connections, then please answer yes. + +Template: strongswan/existing_x509_certificate_filename +Type: string +_Description: File name of your X509 certificate in PEM format: + Please enter the full location of the file containing your X509 + certificate in PEM format. + +Template: strongswan/existing_x509_key_filename +Type: string +_Description: File name of your X509 private key in PEM format: + Please enter the full location of the file containing the private RSA key + matching your X509 certificate in PEM format. This can be the same file + that contains the X509 certificate. + +Template: strongswan/rsa_key_length +Type: string +Default: 2048 +_Description: The length of the created RSA key (in bits): + Please enter the length of the created RSA key. It should not be less than + 1024 bits because this should be considered unsecure and you will probably + not need anything more than 2048 bits because it only slows the + authentication process down and is not needed at the moment. + +Template: strongswan/x509_self_signed +Type: boolean +Default: true +_Description: Do you want to create a self-signed X509 certificate? + This installer can only create self-signed X509 certificates + automatically, because otherwise a certificate authority is needed to sign + the certificate request. If you want to create a self-signed certificate, + you can use it immediately to connect to other IPSec hosts that support + X509 certificate for authentication of IPSec connections. However, if you + want to use the new PKI features of strongSwan >= 1.91, you will need to + have all X509 certificates signed by a single certificate authority to + create a trust path. + . + If you do not want to create a self-signed certificate, then this + installer will only create the RSA private key and the certificate request + and you will have to get the certificate request signed by your certificate + authority. + +Template: strongswan/x509_country_code +Type: string +Default: AT +_Description: Country code for the X509 certificate request: + Please enter the 2 letter country code for your country. This code will be + placed in the certificate request. + . + You really need to enter a valid country code here, because openssl will + refuse to generate certificates without one. An empty field is allowed for + any other field of the X.509 certificate, but not for this one. + . + Example: AT + +Template: strongswan/x509_state_name +Type: string +Default: +_Description: State or province name for the X509 certificate request: + Please enter the full name of the state or province you live in. This name + will be placed in the certificate request. + . + Example: Upper Austria + +Template: strongswan/x509_locality_name +Type: string +Default: +_Description: Locality name for the X509 certificate request: + Please enter the locality (e.g. city) where you live. This name will be + placed in the certificate request. + . + Example: Vienna + +Template: strongswan/x509_organization_name +Type: string +Default: +_Description: Organization name for the X509 certificate request: + Please enter the organization (e.g. company) that the X509 certificate + should be created for. This name will be placed in the certificate + request. + . + Example: Debian + +Template: strongswan/x509_organizational_unit +Type: string +Default: +_Description: Organizational unit for the X509 certificate request: + Please enter the organizational unit (e.g. section) that the X509 + certificate should be created for. This name will be placed in the + certificate request. + . + Example: security group + +Template: strongswan/x509_common_name +Type: string +Default: +_Description: Common name for the X509 certificate request: + Please enter the common name (e.g. the host name of this machine) for + which the X509 certificate should be created for. This name will be placed + in the certificate request. + . + Example: gateway.debian.org + +Template: strongswan/x509_email_address +Type: string +Default: +_Description: Email address for the X509 certificate request: + Please enter the email address of the person or organization who is + responsible for the X509 certificate, This address will be placed in the + certificate request. + +Template: strongswan/enable-oe +Type: boolean +Default: false +_Description: Do you wish to enable opportunistic encryption in strongSwan? + strongSwan comes with support for opportunistic encryption (OE), which stores + IPSec authentication information (i.e. RSA public keys) in (preferably + secure) DNS records. Until this is widely deployed, activating it will + cause a significant slow-down for every new, outgoing connection. Since + version 2.0, strongSwan upstream comes with OE enabled by default and is thus + likely to break your existing connection to the Internet (i.e. your default + route) as soon as pluto (the strongSwan keying daemon) is started. + . + Please choose whether you want to enable support for OE. If unsure, do not + enable it. + diff --git a/debian/strongswan.templates.master b/debian/strongswan.templates.master deleted file mode 100644 index 3fac9039e..000000000 --- a/debian/strongswan.templates.master +++ /dev/null @@ -1,221 +0,0 @@ -Template: strongswan/start_level -Type: select -_Choices: earliest, "after NFS", "after PCMCIA" -Default: earliest -_Description: When to start strongSwan: - There are three possibilities when strongSwan can start: before or - after the NFS services and after the PCMCIA services. The correct answer - depends on your specific setup. - . - If you do not have your /usr tree mounted via NFS (either you only mount - other, less vital trees via NFS or don't use NFS mounted trees at all) and - don't use a PCMCIA network card, then it's best to start strongSwan at - the earliest possible time, thus allowing the NFS mounts to be secured by - IPSec. In this case (or if you don't understand or care about this - issue), answer "earliest" to this question (the default). - . - If you have your /usr tree mounted via NFS and don't use a PCMCIA network - card, then you will need to start strongSwan after NFS so that all - necessary files are available. In this case, answer "after NFS" to this - question. Please note that the NFS mount of /usr can not be secured by - IPSec in this case. - . - If you use a PCMCIA network card for your IPSec connections, then you only - have to choose to start it after the PCMCIA services. Answer "after - PCMCIA" in this case. This is also the correct answer if you want to fetch - keys from a locally running DNS server with DNSSec support. - -Template: strongswan/restart -Type: boolean -Default: true -_Description: Do you wish to restart strongSwan? - Restarting strongSwan is a good idea, since if there is a security fix, it - will not be fixed until the daemon restarts. Most people expect the daemon - to restart, so this is generally a good idea. However this might take down - existing connections and then bring them back up. - -Template: strongswan/ikev1 -Type: boolean -Default: true -_Description: Do you wish to support IKEv1? - strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support - when strongSwan is started? - -Template: strongswan/ikev2 -Type: boolean -Default: true -_Description: Do you wish to support IKEv2? - strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support - when strongSwan is started? - -Template: strongswan/create_rsa_key -Type: boolean -Default: true -_Description: Do you want to create a RSA public/private keypair for this host? - This installer can automatically create a RSA public/private keypair for - this host. This keypair can be used to authenticate IPSec connections to - other hosts and is the preferred way for building up secure IPSec - connections. The other possibility would be to use shared secrets - (passwords that are the same on both sides of the tunnel) for - authenticating an connection, but for a larger number of connections RSA - authentication is easier to administer and more secure. - . - If you do not want to create a new public/private keypair, you can choose to - use an existing one. - -Template: strongswan/rsa_key_type -Type: select -_Choices: x509, plain -Default: x509 -_Description: The type of RSA keypair to create: - It is possible to create a plain RSA public/private keypair for use - with strongSwan or to create a X509 certificate file which contains the RSA - public key and additionally stores the corresponding private key. - . - If you only want to build up IPSec connections to hosts also running - strongSwan, it might be a bit easier using plain RSA keypairs. But if you - want to connect to other IPSec implementations, you will need a X509 - certificate. It is also possible to create a X509 certificate here and - extract the RSA public key in plain format if the other side runs - strongSwan without X509 certificate support. - . - Therefore a X509 certificate is recommended since it is more flexible and - this installer should be able to hide the complex creation of the X509 - certificate and its use in strongSwan anyway. - -Template: strongswan/existing_x509_certificate -Type: boolean -Default: false -_Description: Do you have an existing X509 certificate file for strongSwan? - This installer can automatically extract the needed information from an - existing X509 certificate with a matching RSA private key. Both parts can - be in one file, if it is in PEM format. If you have such an existing - certificate and key file and want to use it for authenticating IPSec - connections, then please answer yes. - -Template: strongswan/existing_x509_certificate_filename -Type: string -_Description: File name of your X509 certificate in PEM format: - Please enter the full location of the file containing your X509 - certificate in PEM format. - -Template: strongswan/existing_x509_key_filename -Type: string -_Description: File name of your X509 private key in PEM format: - Please enter the full location of the file containing the private RSA key - matching your X509 certificate in PEM format. This can be the same file - that contains the X509 certificate. - -Template: strongswan/rsa_key_length -Type: string -Default: 2048 -_Description: The length of the created RSA key (in bits): - Please enter the length of the created RSA key. It should not be less than - 1024 bits because this should be considered unsecure and you will probably - not need anything more than 2048 bits because it only slows the - authentication process down and is not needed at the moment. - -Template: strongswan/x509_self_signed -Type: boolean -Default: true -_Description: Do you want to create a self-signed X509 certificate? - This installer can only create self-signed X509 certificates - automatically, because otherwise a certificate authority is needed to sign - the certificate request. If you want to create a self-signed certificate, - you can use it immediately to connect to other IPSec hosts that support - X509 certificate for authentication of IPSec connections. However, if you - want to use the new PKI features of strongSwan >= 1.91, you will need to - have all X509 certificates signed by a single certificate authority to - create a trust path. - . - If you do not want to create a self-signed certificate, then this - installer will only create the RSA private key and the certificate request - and you will have to get the certificate request signed by your certificate - authority. - -Template: strongswan/x509_country_code -Type: string -Default: AT -_Description: Country code for the X509 certificate request: - Please enter the 2 letter country code for your country. This code will be - placed in the certificate request. - . - You really need to enter a valid country code here, because openssl will - refuse to generate certificates without one. An empty field is allowed for - any other field of the X.509 certificate, but not for this one. - . - Example: AT - -Template: strongswan/x509_state_name -Type: string -Default: -_Description: State or province name for the X509 certificate request: - Please enter the full name of the state or province you live in. This name - will be placed in the certificate request. - . - Example: Upper Austria - -Template: strongswan/x509_locality_name -Type: string -Default: -_Description: Locality name for the X509 certificate request: - Please enter the locality (e.g. city) where you live. This name will be - placed in the certificate request. - . - Example: Vienna - -Template: strongswan/x509_organization_name -Type: string -Default: -_Description: Organization name for the X509 certificate request: - Please enter the organization (e.g. company) that the X509 certificate - should be created for. This name will be placed in the certificate - request. - . - Example: Debian - -Template: strongswan/x509_organizational_unit -Type: string -Default: -_Description: Organizational unit for the X509 certificate request: - Please enter the organizational unit (e.g. section) that the X509 - certificate should be created for. This name will be placed in the - certificate request. - . - Example: security group - -Template: strongswan/x509_common_name -Type: string -Default: -_Description: Common name for the X509 certificate request: - Please enter the common name (e.g. the host name of this machine) for - which the X509 certificate should be created for. This name will be placed - in the certificate request. - . - Example: gateway.debian.org - -Template: strongswan/x509_email_address -Type: string -Default: -_Description: Email address for the X509 certificate request: - Please enter the email address of the person or organization who is - responsible for the X509 certificate, This address will be placed in the - certificate request. - -Template: strongswan/enable-oe -Type: boolean -Default: false -_Description: Do you wish to enable opportunistic encryption in strongSwan? - strongSwan comes with support for opportunistic encryption (OE), which stores - IPSec authentication information (i.e. RSA public keys) in (preferably - secure) DNS records. Until this is widely deployed, activating it will - cause a significant slow-down for every new, outgoing connection. Since - version 2.0, strongSwan upstream comes with OE enabled by default and is thus - likely to break your existing connection to the Internet (i.e. your default - route) as soon as pluto (the strongSwan keying daemon) is started. - . - Please choose whether you want to enable support for OE. If unsure, do not - enable it. - -- cgit v1.2.3