From c6d4f7459c3436c6e629a6b1fcd7f73bcaeca790 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 22 May 2006 06:41:59 +0000 Subject: - s/openswan/strongswan/g - s/Openswan/strongSwan/g But basically manually. Is certainly incomplete right now. --- debian/changelog | 496 +------------------ debian/changelog.debian | 10 - debian/control | 50 +- debian/linux-patch-openswan.apply | 46 -- debian/linux-patch-openswan.dirs | 3 - debian/linux-patch-openswan.docs | 2 - debian/linux-patch-openswan.unpatch | 39 -- debian/linux-patch-strongswan.apply | 46 ++ debian/linux-patch-strongswan.dirs | 3 + debian/linux-patch-strongswan.docs | 2 + debian/linux-patch-strongswan.unpatch | 39 ++ debian/openswan-modules-source.control.in | 13 - debian/openswan-modules-source.dirs | 1 - debian/openswan-modules-source.docs | 2 - debian/openswan-modules-source.kernel-config | 110 ----- debian/openswan-modules-source.rules | 150 ------ debian/openswan.config | 57 --- debian/openswan.dirs | 15 - debian/openswan.docs | 5 - debian/openswan.postinst | 258 ---------- debian/openswan.postrm | 42 -- debian/openswan.prerm | 40 -- debian/openswan.templates | 633 ------------------------- debian/openswan.templates.master | 207 -------- debian/rules | 204 ++++---- debian/strongswan-modules-source.control.in | 13 + debian/strongswan-modules-source.dirs | 1 + debian/strongswan-modules-source.docs | 2 + debian/strongswan-modules-source.kernel-config | 110 +++++ debian/strongswan-modules-source.rules | 150 ++++++ debian/strongswan.config | 57 +++ debian/strongswan.dirs | 15 + debian/strongswan.docs | 5 + debian/strongswan.postinst | 258 ++++++++++ debian/strongswan.postrm | 42 ++ debian/strongswan.prerm | 40 ++ debian/strongswan.templates | 633 +++++++++++++++++++++++++ debian/strongswan.templates.master | 207 ++++++++ 38 files changed, 1760 insertions(+), 2246 deletions(-) delete mode 100644 debian/changelog.debian delete mode 100644 debian/linux-patch-openswan.apply delete mode 100644 debian/linux-patch-openswan.dirs delete mode 100644 debian/linux-patch-openswan.docs delete mode 100644 debian/linux-patch-openswan.unpatch create mode 100644 debian/linux-patch-strongswan.apply create mode 100644 debian/linux-patch-strongswan.dirs create mode 100644 debian/linux-patch-strongswan.docs create mode 100644 debian/linux-patch-strongswan.unpatch delete mode 100644 debian/openswan-modules-source.control.in delete mode 100644 debian/openswan-modules-source.dirs delete mode 100644 debian/openswan-modules-source.docs delete mode 100644 debian/openswan-modules-source.kernel-config delete mode 100755 debian/openswan-modules-source.rules delete mode 100644 debian/openswan.config delete mode 100644 debian/openswan.dirs delete mode 100644 debian/openswan.docs delete mode 100644 debian/openswan.postinst delete mode 100644 debian/openswan.postrm delete mode 100644 debian/openswan.prerm delete mode 100644 debian/openswan.templates delete mode 100644 debian/openswan.templates.master create mode 100644 debian/strongswan-modules-source.control.in create mode 100644 debian/strongswan-modules-source.dirs create mode 100644 debian/strongswan-modules-source.docs create mode 100644 debian/strongswan-modules-source.kernel-config create mode 100755 debian/strongswan-modules-source.rules create mode 100644 debian/strongswan.config create mode 100644 debian/strongswan.dirs create mode 100644 debian/strongswan.docs create mode 100644 debian/strongswan.postinst create mode 100644 debian/strongswan.postrm create mode 100644 debian/strongswan.prerm create mode 100644 debian/strongswan.templates create mode 100644 debian/strongswan.templates.master diff --git a/debian/changelog b/debian/changelog index 8b7e14fda..6e4484588 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,497 +1,9 @@ -openswan (1:2.4.5-3) unstable; urgency=low +strongswan (2.7.0-1) unstable; urgency=low - * Renamed kernel-patch-openswan to linux-patch-openswan. - * Removed the remarks in the package descriptions that linux-patch-openswan - and openswan-modules-source will only work with 2.4 series kernels. This - is no longer true. - * Use updated French translation. Thanks to Christian Perrier and sorry for - not giving time to update the translations before the last upload. I felt - that the FTBFS should be corrected quickly. - Closes: #364399: openswan: [INTL:fr] French debconf templates translation + * Initial Debian packaging of strongswan. This is directly based on my + Debian package of openswan 2.4.5-3. - -- Rene Mayrhofer Sun, 23 Apr 2006 21:47:53 +0100 - -openswan (1:2.4.5-2) unstable; urgency=low - - * The NMU patch doesn't seem to have applied to debian/control, - because the dependency was still on libopensc1-dev. Fixed that now - by adding libopensc2-dev. - Closes: #363073: openswan_1:2.4.5-1: FTBFS: Build depends on - libopensc1-dev - * Added the patch to fix alignment issues on Sparc, as upstream acknowledged - it and applied it to their development tree. - Closes: #341630: openswan: Pluto crypto helper gets SIGBUS on SPARC due - to request memory alignment issue - - -- Rene Mayrhofer Mon, 17 Apr 2006 14:53:37 +0100 - -openswan (1:2.4.5-1) unstable; urgency=low - - * New upstream release. This release adds support for patching newer kernel - versions. Verified that the patched kernel tree compiles with Debian - kernel sources 2.6.15-8 and 2.6.16-6. - Closes: #361800: kernel-patch-openswan: Fails to patch Debian 2.6.15 - kernel - It also adds the patches for an IPSec/L2TP server behind a NAT. - Closes: #307529: More patches for openswan server behind NAT - Closes: #353792: openswan nat-t failure - And additionally there are (according to upstream changelogs) fixes for - running on SMP systems. If the following bug still persists (can not test - myself), then please reopen. - Closes: #343603: kernel-patch-openswan: Starting IPSEC makes system freeze - The patch to fix the snmpd crash is also in this upstream version (just - checked linux/net/ipsec/ipsec_tunnel.c). It was probably in older versions - as well, so this might have been closed earlier. It's not mentioned in - upstream changelog, so I don't know exactly when it has been fixed. - Closes: #318298: kernel-patch-openswan: Kernel Oops - Null Dereference - when using snmpd - The ipsec.conf manual page has been updated to document connaddrfamily. - Closes: #296611: openswan: "man -S 5 ipsec.conf" fails to mention the - parameter "connaddrfamily" - * Acknowledge fixes in last NMU - thanks to Christian. - Closes: #352050: openswan: FTBFS: Package libopensc1-dev has no - installation candidate - Closes: #356716: openswan: Incomplete clean when building - Closes: #316693: openswan_1/2.2.0-10 - Closes: #339390: openswan: [INTL:sv] Swedish debconf templates translation - * Enable building of XAUTH support. - * Import override files from /etc/default instead of /etc/sysconfig. This - uses dpatch, so now Build-Depend on it. - Closes: #354965: openswan: /usr/lib/ipsec/_updown uses /etc/sysconfig/, - please change to /etc/default/ - * Only ask if an existing certificate/private key pair should be used when - the user chose not to create a new key pair. Also mention, when asking to - create a new key pair, that an existing one can be used alternatively. - Closes: #298250: confusing debconf question about certificate creation - * Move the USE_LDAP, USE_LIBCURL, and HAVE_THREADS options from the - "make install" to the "make programs" call where it belongs. - Closes: #292838: openswan: Dynamic CRL fetching not supported - * Remove /usr/share/doc/openswan/index.html, because it is a duplicate of - /usr/share/doc/openswan/doc/index.html, and only the latter one has links - to existing files. - Closes: #311613: openswan: html documentation links to the wrong place - Closes: #357719: broken links in file:///usr/share/doc/openswan/index.html - Closes: #357698: broken links in file:///usr/share/doc/openswan/index.html - * Add #ifdef to linux/net/ipsec/ipsec_init.c to branch between Debian and - vanilla 2.4 kernels. For Debian kernels with the XFRM (26sec) backport, - a second option is necessary for inet_(add|del)_protocol. This should - allow KLIPS to compile on both Debian and vanilla 2.4 kernels. Verified - that it compiles with Debian 2.4.27-12 and vanilla 2.4.32. - Closes: #340294: openswan-modules-source: fails to build with 2.4.27 on - sarge - Closes: #342844: kernel-patch-openswan: FTBS with kernel-source-2.4.27 - 2.4.27-11 - * Document in README.Debian that KLIPS for 2.4 kernels will not compile with - newer GCC versions and give a hint on how to use older versions with - make-kpkg. - * Kernel 2.6.8 is not properly supported and is horribly outdated by now. - If you really need to use 2.6.8, then please use the native 26sec IPSec - stack. For KLIPS support, use at least 2.6.12, or better 2.6.15. - Closes: #318136: kernel-patch-openswan: Problem applying - kernel-openswan-patch to kernel-source-2.6.8 - * Compress the modules source tree with bzip2 instead of gzip and thus - reduce the size of the openswan-modules-source package. - - -- Rene Mayrhofer Sat, 15 Apr 2006 21:36:36 +0100 - -openswan (1:2.4.4-3.1) unstable; urgency=high - - * Non-maintainer upload with maintainer's agreement - * Fix FTBFS by replacing the build dependency on libopensc1-dev to - libopensc2-dev. Closes: #352050 - * Really clean when building - Closes: #356716 - * Correct typos and English errors in templates - Unfuzzy translations - Closes: #316693 - * Swedish debconf templates translation added - Closes: #339390 - - -- Christian Perrier Thu, 16 Mar 2006 06:10:05 +0100 - -openswan (1:2.4.4-3) unstable; urgency=low - - * Corrected PATCHNAME in the kernel-patch-openswan unpatch script. - Closes: #344852: kernel-patch-openswan: PATCHNAME=openswan in apply script - but =freeswan in unpatch - - -- Rene Mayrhofer Tue, 27 Dec 2005 10:38:33 +0000 - -openswan (1:2.4.4-2) unstable; urgency=low - - * Build-depend on libkrb5-dev. - Closes: #344612: openswan: pluto has shared library dependency on - libkrb5support.so - - -- Rene Mayrhofer Mon, 26 Dec 2005 11:22:17 +0000 - -openswan (1:2.4.4-1) unstable; urgency=high - - Reasoning for urgency high: DoS security issues. - * New upstream version. This is supposed to fix the other part of the DoS - problem. - - -- Rene Mayrhofer Fri, 18 Nov 2005 19:23:49 +0000 - -openswan (1:2.4.3-1) unstable; urgency=high - - Reasoning for urgency high: DoS security issues. - * New upstream version. - Closes: Bug#339082: kernel-patch-openswan: ISAKMP implementation - problems / DoS - - -- Rene Mayrhofer Tue, 15 Nov 2005 15:49:44 +0000 - -openswan (1:2.4.0-3) unstable; urgency=low - - * Doh. Forgot to merge the new debconf depends from my openswan 2.2.0 - package branch. Now again change the debconf depends to debconf | - debconf-2.0. - Closes: #332055: openswan depends on debconf without | debconf-2.0 - alternate; blocks cdebconf transition - * Also build-depend on the new libssl (>= 0.9.8-1) now to help the - transition. If you recompile this package for woody/sarge, you can safely - ignore this versioned build-dependency. No new API is needed this is just - for the ABI transition. - - -- Rene Mayrhofer Mon, 10 Oct 2005 11:22:12 +0100 - -openswan (1:2.4.0-2) unstable; urgency=low - - * Module building has changed a bit for the new openswan upstream - releases (need additional files). Adapt the openswan-modules-source - package to that and also fix pfkey_v2.c to compile with kernel 2.4 - (patches sent to upstream for future inclusion). - Closes: #291274: Fails to build with 2.4.29: missing Makefile - Closes: #273443: openswan-modules-source: doesn't build with 2.6.8 - - different from #273144 (?) - * Fix the postinst script (must have been a bash update that broke it). - Closes: #330864: openswan: postinst fails with "`make-x509-cert': not a - valid identifier" - - -- Rene Mayrhofer Fri, 30 Sep 2005 18:11:28 +0100 - -openswan (1:2.4.0-1) unstable; urgency=low - - * New upstream release. This finally allows the Debian packages to be - updated since the regression from 2.2.X to 2.3.X has been fixed (pluto - crash with roadwarriors). Please be aware that pluto daemons from 2.2 or - 2.3 openswan release will still crash, so please update all your - installations as soon as possible. - Closes: #292132: openswan: OpenSwan 2.2.0 crashes when a road-warrior - comes in using 2.3.0 - This release also supports KLIPS with 2.6 kernels now. - Closes: #301801: kernel-patch-openswan: Fails to build with Debian - 2.6.10 source - #273443: openswan-modules-source: doesn't build with 2.6.8 - - different from #273144 (?) - #318136: kernel-patch-openswan: Problem applying - kernel-openswan-patch to kernel-source-2.6.8 - * Fixed gcc 4 compile for fswcert (patch will be forwarded to upstream). - * Added Vietnamese debconf translation. - Closes: #316692: INTL:vi - * Introduced the epoch in this branch to allow automatic updates from the - previously downgraded 2.2 release. - * Edited the debian/copyright file to mention the shared GPL path and - removed old licenses (only refer to CREDITS now). - - -- Rene Mayrhofer Mon, 19 Sep 2005 13:40:30 +0100 - -openswan (2.3.1-1) unstable; urgency=high - - Urgency HIGH because openswan is an important package for testing (at least - in my opinion...). - * New upstream version. This update should fix the various crashes - that openswan 2.3.0 pluto was causing on other openswan boxes - (occured in the wild with 2.2.0 and 2.3.0, but might also happen - with others) in some cases. - Closes: #292132: openswan: OpenSwan 2.2.0 crashes when a road-warrior - comes in using 2.3.0 - * Adapt to the new way of building modules (which changed between upstream - version 2.2.0 and 2.3.0). openswan-modules-source should now build with - 2.4 and with 2.6 kernels (using make-kpkg). - Closes: #291274: Fails to build with 2.4.29: missing Makefile - Closes: #276521: openswan-modules-source: ipsec_aes.o & ipsec_cryptoapi.o - not kernel modules - * Also enable building of 2.6 kernel modules in openswan-modules-source. - Closes: #273443: openswan-modules-source: doesn't build with 2.6.8 - - different from #273144 (?) - * kernel-patch-openswan also needed some changes due to the new tree - layout (specifically the new Makefile.top). Now kernel-patch-openswan - has been enabled to work with kernel 2.6, so you can now get ipsecX - interfaces with kernel 2.6 (tested with vanilla 2.6.10)! - Closes: #301801 kernel-patch-openswan: Fails to build with Debian 2.6.10 - source - * There was no reply by the original bug submitter, so this really seemed - to be a toolchain problem. I can't reproduce this bug. - Closes: #283387: openswan: Fails to build on testing (Sarge) - * The build-dependency has already been updated from libcurl2-dev to - libcurl3-dev in package 2.3.0-1. Now updated it to - libcurl3-dev | libcurl2-dev so that backporting to woody is easier. - Closes: #298468 openswan fails to build on sarge due to missing - libcurl2-dev dependancy - * The same goes for libopensc*-dev. - * Fixed typos in the logcheck ignore files. - Closes: #298693: openswan: logcheck files - typo - * Updated debconf translations. - Closes: #290847: openswan: [INTL:fr] French debconf templates translation - Closes: #292077: [INTL:pt_BR] Please apply the attached patch in order to - update openswan's pt_BR debconf translation - Closes: #294202: [l10n] Czech po-debconf template translation (cs.po) - * Removed the source code for the fswcert utility from the debian/ dir in - the source package - it is now included in the upstream source under - programs/. - * Removed the conflicts with ike-server (still providing it though). - Closes: #297186: openswan: Remove conflict on ike-server - * Don't conflict with freeswan generally, but only with versions < 2.04-12. - (This is in preparation of the freeswan transition package that I am - working on.) - * Explicitly remove the execute permissions from /etc/ipsec.d/policies/*. - Closes: #298245: wrong permissions in /etc - * No longer need gawk for openswan scripts to work. This allows to finally - removed the awk-to-gawk hack in debian/rules and means that openswan no - longer depends on gawk. - * Enable the building of pluto code for dynamic URL fetching (which needs - libldap2-dev and libcurl3-dev) and the XAUTH PAM support. Therefore, we - now build-depend on libpam0g-dev. - Closes: #292838: openswan: Dynamic CRL fetching not supported - - -- Rene Mayrhofer Sat, 9 Apr 2005 17:56:16 +0200 - -openswan (2.3.0-2) unstable; urgency=HIGH - - Urgency HIGH due to security issue and problems with build-deps in sarge. - * Fix the security issue. Please see - http://www.idefense.com/application/poi/display?id=190& - type=vulnerabilities&flashstatus=false - or CAN-2005-0162 at - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0162 - for more details. Thanks to Martin Schulze for informing me about this - issue. - Closes: #292458: Openswan XAUTH/PAM Buffer Overflow Vulnerability - * Added a Build-Dependency to lynx. - Closes: #291143: openswan: FTBFS: Missing build dependency. - - -- Rene Mayrhofer Thu, 27 Jan 2005 16:10:11 +0100 - -openswan (2.3.0-1) unstable; urgency=low - - * New upstream release. - Important change: aes-sha1 is now the default proposal (but 3des-md5 is - still supported if the other side requests it). Please look at - /usr/share/doc/openswan/docs/RELEASE-NOTES for details. - * Includes KLIPS support for kernel 2.6 for the first time, but I have not - yet modified openswan-modules-source to cope with that. If somebody wants - to lend me a hand to address #273443, it would be more than welcome. - * This release includes a fix for the reported snmpd crash - (in ipsec_tunnel.c). Many thanks to Nate Carlson for pointing this out. - Closes: #261892: openswan: System crashes when snmpd runs at the same time - * Update Build-Depends from libopensc0-dev to libopensc1-dev. - Closes: #289600: openswan: can't fulfill the build dependencies - * Update Build-Depends from libcurl2-dev to libcurl3-dev. - * Include Japanese debconf translation and fix a typo in the master. - Closes: #288996: openswan: Japanese po-debconf template translation - (ja.po) and typo in template.pot - * Auto-apply the NAT Traversal patch with kernel-patch-openswan again. This - was changed by openswan (the freeswan version included the NAT-T patch - automatically). Thus, the patch is now applied before inserting the KLIPS - part. - * Include a ready-to-use NAT-T diff in the openswan-modules-source package - so that anybody who uses this package still has the option of using NAT - Traversal (though this means patching the kernel anyway, and kind of - makes the out-of-tree compilation senseless). However, Debian 2.4 series - kernels should already have NAT-T applied. - * Document the above two changes in the package descriptions and - README.Debian. - - -- Rene Mayrhofer Thu, 13 Jan 2005 09:30:45 +0100 - -openswan (2.2.0-5) unstable; urgency=low - - * Added more explanations to README.Debian on how to build the kernel - modules with either openswan-modules-source or kernel-patch-openswan. - - -- Rene Mayrhofer Sat, 16 Oct 2004 13:11:48 +0200 - -openswan (2.2.0-4) unstable; urgency=medium - - Urgency medium to get this version into sarge - it fixes a bug that turned - up on some machines and prevented openswan from starting. - * no_oe.conf will work when there are spaces at the end, many thanks to - Hans Fugal for figuring that out! - Closes: #270012: openswan: Fails to start after Installation - (/etc/ipsec.d/examples/no_oe.conf problem?) - I am now sending this towards upstream so that it should hopefully get - fixed for the next release - it's a bit awkward for a config file. - * Fixed a minor aesthetical issue in openswan.postinst: when a plain RSA key - is already present in ipsec.secrets and a new one is being created, a - needless line was printed. Silenced by adding -q to egrep. - - -- Rene Mayrhofer Sun, 3 Oct 2004 20:57:22 +0200 - -openswan (2.2.0-3) unstable; urgency=low - - * Also added flex to Build-Depends, the new starter (replacement for - the init scripts, but not yet active) needs it to build. - Closes: #272935: openswan_2.2.0-1(ia64/unstable): FTBFS: missing - build-depends - Closes: #273241: openswan: FTBFS: Missing Build-Depends on 'flex' - * Adapted the rules file of openswan-modules-source to cope with the new - upstream source code - need to generate a C file from a template before - the ipsec module can be built. - Closes: #273144: openswan-modules-source: linux/net/ipsec/version.c - neither created nor compiled - * Enabled the building of modular extensions (AES and cryptoapi) by default - for openswan-modules-source. Also enabled the AES cipher in addition to - 3DES (this is directly in the ipsec.o kernel module, the modular - extensions version is an alternative to this). - - -- Rene Mayrhofer Fri, 24 Sep 2004 12:38:47 +0200 - -openswan (2.2.0-2) unstable; urgency=low - - * Added bison to Build-Depends. - - -- Rene Mayrhofer Thu, 23 Sep 2004 15:18:51 +0200 - -openswan (2.2.0-1) unstable; urgency=medium - - * New upstream version: - - Introduces AES support, which is the reason for urgency medium. AES - should definitly go into sarge. - - Adds RFC 3706 DPD (dead peer detection) support, see - /usr/share/doc/openswan/docs/README.DPD for details. - This adds the last missing piece (AES) to replace the freeswan package - completely. As of now, freeswan is officially unsupported and will soon - be removed from Debian. Please upgrade to openswan, which should not cause - any issues. Configuration files and certificates are completely compatible. - Closes: #270012: openswan: Fails to start after Installation - (/etc/ipsec.d/examples/no_oe.conf problem?) - I can no longer reproduce this problem on a fresh install of - 2.2.0-1. - Closes: #260120: openswan: Patch fixing #256391 breaks the autogenerated - certificate - The new X.509 patch included in this upstream release (no longer - patched by the Debian package) should fix this too. - Closes: #246828: /etc/ipsec.conf refers to invalid URLs - The default ipsec.conf file distributed by upstream no longer - refers to an URL. - * Fixed a thinko in the postinst script that prevented the correct insertion - of plain RSA keys into /etc/ipsec.secrets (i.e. not using X.509 - certificates). Fixed now. - Closes: #268742: openswan: Plain RSA key not successfully written to - ipsec.secrets - * Adapt to the new way of openswan handling the disabling of opportunistic - encryption. In the default ipsec.conf distributed with upstream openswan, - OE is now disabled (which changes the previous default). Adapted the - postinst script so that it can now enable and disable OE support based on - the debconf option. - Closes: #268743: openswan: fails to respect debconf OE setting - * Updated the French and Brazilian Portugese debconf translations. - Closes: #256457: openswan: [INTL:fr] French debconf templates translation - Closes: #264246: openswan: [INTL:pt_BR] Please use the attached Brazilian - Portuguese debconf template translation - * Patched debian/fswcert/fswcert.c to compile cleanly with gcc-3.4. Thanks - to Andreas Jochens for the patch! - Closes: #262663: openswan: FTBFS with gcc-3.4: label at end of compound - statement - * Documented how to build the KLIPS kernel part with either the - kernel-patch-openswan or the openswan-modules-source packages. - Closes: #246819: Needs documentation on how to build the kernel modules - * Bump Standards-Version to 3.6.1.0, no changes necessary. - - -- Rene Mayrhofer Tue, 21 Sep 2004 18:13:52 +0200 - -openswan (2.1.5-1) unstable; urgency=medium - - * New upstream release, which fixes another potential security issue. - - -- Rene Mayrhofer Sun, 5 Sep 2004 18:00:40 +0200 - -openswan (2.1.3-1) unstable; urgency=HIGH - - Urgency high because of a possibly security issue. - * New upstream version. This includes the CRL fix form 2.1.1-5 and the - proper activation of NAT traversal in Makefile.inc. - Closes: #253457: Openswan: new upstream available that includes xauth - Closes: #253458: Openswan: new upstream available that includes xauth - Closes: #253461: Openswan: new upstream available - Closes: #253782: openswan: Should automatically load kernel module - xfrm_user - But I have currently not explicitly enabled xaut support in Makefile.inc, - quoting from there: "off by default, since XAUTH is tricky, and you can - get into security trouble". If it needs to be enabled to work, please tell - me and I will need to take a far closer look on it (and the involved - problems). - This new upstream version also fixes a possible security issue in the - X.509 certificate authentication. - * The last upload didn't seem to have hit the archives, strange... - However, the bugs are still fixed, closing them now. - Closes: #245450: openswan should not depend on - kernel-image-2.4 || kernel-image-2.6 - Closes: #246847: openswan: shouldn't conflict with ike-server - Closes: #246373: openswan: [INTL:fr] French debconf templates translation - - -- Rene Mayrhofer Thu, 17 June 2004 12:22:45 +0200 - -openswan (2.1.1-5) unstable; urgency=low - - * Applied a patch from openswan CVS to fix CRL related crashes. - * Drop the dependency on kernels it works with - the package description - already says that it will need kernel support to work. This allows people - to easily use self-compiled kernels with the right support (e.g. 2.6.5). - Closes: #245450: openswan should not depend on - kernel-image-2.4 || kernel-image-2.6 - * While I'm at it, also replace the various Suggests: *freeswan* with - openswan. Oops. - * openswan conflicts with ike-server because only one ike-server can be - active at any given time (it will listen on UDP port 500). This policy - has been agreed to by all Debian IPSec package maintainers and implemented - in all ike-server providing packages. - Closes: #246847: openswan: shouldn't conflict with ike-server - * Took the debconf translations from the freeswan package and "ported" them - via debconf-updatepo. Thanks to Christian Perrier for mentioning that it - was this easy. - The templates should now be correct (all instances of FreeS/wan replaced - by Openswan). - Closes: #246373: openswan: [INTL:fr] French debconf templates translation - - -- Rene Mayrhofer Tue, 18 May 2004 19:46:24 +0200 - -openswan (2.1.1-4) unstable; urgency=low - - * Fixed the kernel-patch-openswan apply script. - * Warning: Due to an upstream bug, pluto from this version will dump core - on certain CRLs. If you are hit by this bug, please report it directly to - upstream, they are still tracking the issue down. - - - -- Rene Mayrhofer Thu, 15 Apr 2004 09:50:32 +0200 - -openswan (2.1.1-3) unstable; urgency=low - - * Also build the openswan-modules-source and kernel-patch-openswan - packages now. - * Fixed _startklips in combination with the native IPSec stack - many thanks - to Nate Carlson for the patch. - - -- Rene Mayrhofer Wed, 31 Mar 2004 19:33:49 +0200 - -openswan (2.1.1-2) unstable; urgency=low - - * Took the package as official maintainer. - * Updated all relevant packaging stuff to the level of freeswan 2.04-9, - including auto-generation of X.509 certificates and insertion in - ipsec.secrets. This also corrects the libexec path in some scripts. - - -- Rene Mayrhofer Wed, 31 Mar 2004 11:23:46 +0200 - -openswan (2.1.1-1) unstable; urgency=low - - * Initial version - packaging based on Rene Mayrhofer's - FreeS/WAN packaging - - -- Alexander List Sun, 21 Mar 2004 21:47:53 +0100 + -- Rene Mayrhofer Mon, 22 May 2006 07:37:00 +0100 Local variables: mode: debian-changelog diff --git a/debian/changelog.debian b/debian/changelog.debian deleted file mode 100644 index 14b30ca82..000000000 --- a/debian/changelog.debian +++ /dev/null @@ -1,10 +0,0 @@ -freeswan (2.00) unstable; urgency=low - - This is a major update to the FreeS/WAN source tree to include the - debian packaging components. This version supports just the native - pieces of FreeS/WAN - no patches. - - The debian changelog is at changelog.debian. - - - diff --git a/debian/control b/debian/control index 919875eab..8ed778e7a 100644 --- a/debian/control +++ b/debian/control @@ -1,24 +1,24 @@ -Source: openswan +Source: strongswan Section: net Priority: optional Maintainer: Rene Mayrhofer Standards-Version: 3.6.1.0 Build-Depends: debhelper (>= 4.1.16), libgmp3-dev, libssl-dev (>= 0.9.8-1), htmldoc, man2html, libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, lynx, dpatch, bzip2 -Package: openswan +Package: strongswan Architecture: any Pre-Depends: debconf | debconf-2.0 Depends: ${shlibs:Depends}, bsdmainutils, makedev | devfsd, debianutils (>=1.7), ipsec-tools, openssl, host, iproute -Suggests: openswan-modules-source | linux-patch-openswan, curl +Suggests: strongswan-modules-source | linux-patch-strongswan, curl Provides: ike-server Conflicts: freeswan (<< 2.04-12) -Description: IPSEC utilities for Openswan +Description: IPSEC utilities for strongSwan IPSEC is Internet Protocol SECurity. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit. Encryption prevents unauthorised reading of packet contents. . - This version of Openswan supports Opportunistic Encryption (OE) out of the + This version of strongSwan supports Opportunistic Encryption (OE) out of the box. OE enables you to set up IPsec tunnels to a site without co-ordinating with the site administrator, and without hand configuring each tunnel. If enough sites support OE, a "FAX effect" @@ -36,34 +36,46 @@ Description: IPSEC utilities for Openswan and crypto support, patching the kernel is no longer necessary! . If you want to use the KLIPS IPSec code for kernel modules instead of the - native ones, you will need to install either openswan-modules-source or - linux-patch-openswan and build the respective modules for your kernel. + native ones, you will need to install either strongswan-modules-source or + linux-patch-strongswan and build the respective modules for your kernel. -Package: openswan-modules-source +Package: strongswan-modules-source Architecture: all Depends: coreutils | fileutils, debhelper, bzip2 Recommends: kernel-package (>= 7.04), kernel-source -Suggests: openswan -Description: IPSEC kernel modules source for Openswan - This package contains the source for the Openswan modules to get the necessary - kernel support to use Openswan. +Suggests: strongswan +Description: IPSEC kernel modules source for strongSwan + This package contains the source for the strongSwan modules to get the necessary + kernel support to use strongSwan. . It includes the NAT Traversal patches, which will need to be applied to the kernel tree if NAT Traversal is needed. + . + This package will not work with 2.6 kernels! It is recommended to use the + native IPSec stack included with 2.6 kernels with strongSwan. If you want to + use KLIPS (the FreeSWan/Openswan/strongSwan IPSec kernel support) with a 2.6 + kernel, then please use the openswan-modules-source package. It is + interoperable with the strongswan user space programs. -Package: linux-patch-openswan +Package: linux-patch-strongswan Architecture: all Depends: coreutils | fileutils Recommends: kernel-package (>= 7.04) -Suggests: openswan -Provides: kernel-patch-openswan -Replaces: kernel-patch-openswan -Description: IPSEC Linux kernel support for Openswan +Suggests: strongswan +Provides: kernel-patch-strongswan +Replaces: kernel-patch-strongswan +Description: IPSEC Linux kernel support for strongSwan This package contains the patches for the Linux kernel to get the necessary - kernel support to use Openswan. If you want to build a kernel module for - IPSec, it is much easier to use the openswan-modules-source package instead. + kernel support to use strongSwan. If you want to build a kernel module for + IPSec, it is much easier to use the strongswan-modules-source package instead. This kernel-patch package should probably only be used when building a non-modular kernel or when compiling IPSec non-modular. . It includes the NAT Traversal patches and applies them automatically to the kernel after inserting KLIPS. + . + This package will not work with 2.6 kernels! It is recommended to use the + native IPSec stack included with 2.6 kernels with strongSwan. If you want to + use KLIPS (the FreeSWan/Openswan/strongSwan IPSec kernel support) with a 2.6 + kernel, then please use the linux-patch-strongswan package. It is + interoperable with the strongswan user space programs. diff --git a/debian/linux-patch-openswan.apply b/debian/linux-patch-openswan.apply deleted file mode 100644 index 107cdb0e7..000000000 --- a/debian/linux-patch-openswan.apply +++ /dev/null @@ -1,46 +0,0 @@ -#! /bin/sh -# -# (C) 1998 Manoj Srivastava & Eric Delaunay. - -set -e - -ARCHITECTURE=all -PATCHNAME=openswan -PATCHDIR=/usr/src/kernel-patches/$ARCHITECTURE/openswan -#PATCHDIR=`dirname $0`/../$PATCHNAME - -if ! test -d kernel -a -d Documentation ; then - echo "Not in kernel top level directory. Exiting" >&2 - exit 1 -fi - -if test -f debian/APPLIED_${ARCHITECTURE}_$PATCHNAME ; then - exit 0 # patch already applied -fi - -rm -rf net/ipsec -KERNELDIR=`pwd` - -# apply the NAT-T patch first (if it applies...) -echo "Applying NAT Traversal patch to networking subsystem." -if make -C "$PATCHDIR" -f Makefile nattpatch \ - | patch -p1 --dry-run >/dev/null; then - make -C "$PATCHDIR" -f Makefile nattpatch \ - | patch -p1 -else - echo "The patch does not apply cleanly, skipping it. Please check manually" - echo "if your kernel already supports NAT Traversal (Debian kernel sources" - echo "might already be patched to do so)." -fi - -echo "Inserting KLIPS into kernel." -make -C "$PATCHDIR" -f Makefile kpatch \ - KERNELSRC="$KERNELDIR"\ - PATCHER="./patcher" -make -C "$PATCHDIR" -f Makefile klink \ - KERNELSRC="$KERNELDIR"\ - KLIPSLINK="cp -a" -make -C "$PATCHDIR" -f Makefile klipsdefaults \ - KERNELSRC="$KERNELDIR" - -mkdir -p debian && touch debian/APPLIED_${ARCHITECTURE}_$PATCHNAME diff --git a/debian/linux-patch-openswan.dirs b/debian/linux-patch-openswan.dirs deleted file mode 100644 index 57f41cb32..000000000 --- a/debian/linux-patch-openswan.dirs +++ /dev/null @@ -1,3 +0,0 @@ -usr/src/kernel-patches/all/apply -usr/src/kernel-patches/all/unpatch -usr/src/kernel-patches/all/openswan diff --git a/debian/linux-patch-openswan.docs b/debian/linux-patch-openswan.docs deleted file mode 100644 index e61535265..000000000 --- a/debian/linux-patch-openswan.docs +++ /dev/null @@ -1,2 +0,0 @@ -CREDITS -debian/README.Debian diff --git a/debian/linux-patch-openswan.unpatch b/debian/linux-patch-openswan.unpatch deleted file mode 100644 index 2fca79aa6..000000000 --- a/debian/linux-patch-openswan.unpatch +++ /dev/null @@ -1,39 +0,0 @@ -#! /bin/sh -# -# (C) 1998 Manoj Srivastava & Eric Delaunay. - -set -e - -ARCHITECTURE=all -PATCHNAME=openswan -PATCHDIR=/usr/src/kernel-patches/$ARCHITECTURE/openswan -#PATCHDIR=`dirname $`/../$PATCHNAME - -if ! test -d kernel -a -d Documentation ; then - echo "Not in kernel top level directory. Exiting" >&2 - exit 1 -fi - -if ! test -f debian/APPLIED_${ARCHITECTURE}_$PATCHNAME ; then - exit 0 # no need to remove a non existent patch -fi - -rm -rf net/ipsec -patchedfiles=`find . -name "*.preipsec" -type f` -for f in $patchedfiles; do - origname=`expr "$f" : '\(.*\)\.preipsec$'` - echo "Restoring $origname from $f" - mv $f $origname -done - -removefiles=`find . -name "*.ipsecmd5" -type f` -removefiles="$removefiles `find . -name "*.wipsec" -type f`" -for f in $removefiles; do - echo "Removing $f" - rm $f -done - -rm -f debian/APPLIED_${ARCHITECTURE}_$PATCHNAME -[ -d debian ] && ( rmdir -p debian || true ) - -exit 0 diff --git a/debian/linux-patch-strongswan.apply b/debian/linux-patch-strongswan.apply new file mode 100644 index 000000000..107cdb0e7 --- /dev/null +++ b/debian/linux-patch-strongswan.apply @@ -0,0 +1,46 @@ +#! /bin/sh +# +# (C) 1998 Manoj Srivastava & Eric Delaunay. + +set -e + +ARCHITECTURE=all +PATCHNAME=openswan +PATCHDIR=/usr/src/kernel-patches/$ARCHITECTURE/openswan +#PATCHDIR=`dirname $0`/../$PATCHNAME + +if ! test -d kernel -a -d Documentation ; then + echo "Not in kernel top level directory. Exiting" >&2 + exit 1 +fi + +if test -f debian/APPLIED_${ARCHITECTURE}_$PATCHNAME ; then + exit 0 # patch already applied +fi + +rm -rf net/ipsec +KERNELDIR=`pwd` + +# apply the NAT-T patch first (if it applies...) +echo "Applying NAT Traversal patch to networking subsystem." +if make -C "$PATCHDIR" -f Makefile nattpatch \ + | patch -p1 --dry-run >/dev/null; then + make -C "$PATCHDIR" -f Makefile nattpatch \ + | patch -p1 +else + echo "The patch does not apply cleanly, skipping it. Please check manually" + echo "if your kernel already supports NAT Traversal (Debian kernel sources" + echo "might already be patched to do so)." +fi + +echo "Inserting KLIPS into kernel." +make -C "$PATCHDIR" -f Makefile kpatch \ + KERNELSRC="$KERNELDIR"\ + PATCHER="./patcher" +make -C "$PATCHDIR" -f Makefile klink \ + KERNELSRC="$KERNELDIR"\ + KLIPSLINK="cp -a" +make -C "$PATCHDIR" -f Makefile klipsdefaults \ + KERNELSRC="$KERNELDIR" + +mkdir -p debian && touch debian/APPLIED_${ARCHITECTURE}_$PATCHNAME diff --git a/debian/linux-patch-strongswan.dirs b/debian/linux-patch-strongswan.dirs new file mode 100644 index 000000000..57f41cb32 --- /dev/null +++ b/debian/linux-patch-strongswan.dirs @@ -0,0 +1,3 @@ +usr/src/kernel-patches/all/apply +usr/src/kernel-patches/all/unpatch +usr/src/kernel-patches/all/openswan diff --git a/debian/linux-patch-strongswan.docs b/debian/linux-patch-strongswan.docs new file mode 100644 index 000000000..e61535265 --- /dev/null +++ b/debian/linux-patch-strongswan.docs @@ -0,0 +1,2 @@ +CREDITS +debian/README.Debian diff --git a/debian/linux-patch-strongswan.unpatch b/debian/linux-patch-strongswan.unpatch new file mode 100644 index 000000000..2fca79aa6 --- /dev/null +++ b/debian/linux-patch-strongswan.unpatch @@ -0,0 +1,39 @@ +#! /bin/sh +# +# (C) 1998 Manoj Srivastava & Eric Delaunay. + +set -e + +ARCHITECTURE=all +PATCHNAME=openswan +PATCHDIR=/usr/src/kernel-patches/$ARCHITECTURE/openswan +#PATCHDIR=`dirname $`/../$PATCHNAME + +if ! test -d kernel -a -d Documentation ; then + echo "Not in kernel top level directory. Exiting" >&2 + exit 1 +fi + +if ! test -f debian/APPLIED_${ARCHITECTURE}_$PATCHNAME ; then + exit 0 # no need to remove a non existent patch +fi + +rm -rf net/ipsec +patchedfiles=`find . -name "*.preipsec" -type f` +for f in $patchedfiles; do + origname=`expr "$f" : '\(.*\)\.preipsec$'` + echo "Restoring $origname from $f" + mv $f $origname +done + +removefiles=`find . -name "*.ipsecmd5" -type f` +removefiles="$removefiles `find . -name "*.wipsec" -type f`" +for f in $removefiles; do + echo "Removing $f" + rm $f +done + +rm -f debian/APPLIED_${ARCHITECTURE}_$PATCHNAME +[ -d debian ] && ( rmdir -p debian || true ) + +exit 0 diff --git a/debian/openswan-modules-source.control.in b/debian/openswan-modules-source.control.in deleted file mode 100644 index 7e5aa5307..000000000 --- a/debian/openswan-modules-source.control.in +++ /dev/null @@ -1,13 +0,0 @@ -Section: net -Priority: optional -Maintainer: $KMAINT <$KEMAIL> -Build-Depends: debhelper (>= 4) -Standards-Version: 3.6.0 -Source: openswan - -Package: openswan-modules-$KVERS -Architecture: any -Recommends: kernel-image-$KVERS (= $KDREV) -Description: IPSEC kernel modules for Openswan (binary kernel modules) - This package contains the openswan binary kernel modules for linux - version $KVERS. diff --git a/debian/openswan-modules-source.dirs b/debian/openswan-modules-source.dirs deleted file mode 100644 index 531fa90c3..000000000 --- a/debian/openswan-modules-source.dirs +++ /dev/null @@ -1 +0,0 @@ -/usr/src/ diff --git a/debian/openswan-modules-source.docs b/debian/openswan-modules-source.docs deleted file mode 100644 index e61535265..000000000 --- a/debian/openswan-modules-source.docs +++ /dev/null @@ -1,2 +0,0 @@ -CREDITS -debian/README.Debian diff --git a/debian/openswan-modules-source.kernel-config b/debian/openswan-modules-source.kernel-config deleted file mode 100644 index 16727d166..000000000 --- a/debian/openswan-modules-source.kernel-config +++ /dev/null @@ -1,110 +0,0 @@ -#ifndef _CONFIG_ALL_H_ -/* - * Copyright (C) 2002 Michael Richardson - * - * This kernel module is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This kernel module is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public - * License for more details. - * - * RCSID $Id: openswan-modules-source.kernel-config,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $ - */ -#define _CONFIG_ALL_H_ /* seen it, no need to see it again */ - -#define CONFIG_IPSEC 1 - -#ifndef CONFIG_IPSEC_AH -#define CONFIG_IPSEC_AH 1 -#endif - -#ifndef CONFIG_IPSEC_DEBUG -#define CONFIG_IPSEC_DEBUG 1 -#endif - -#ifndef CONFIG_IPSEC_ESP -#define CONFIG_IPSEC_ESP 1 -#endif - -#ifndef CONFIG_IPSEC_IPCOMP -#define CONFIG_IPSEC_IPCOMP 1 -#endif - -#ifndef CONFIG_IPSEC_IPIP -#define CONFIG_IPSEC_IPIP 1 -#endif - -#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5 -#define CONFIG_IPSEC_AUTH_HMAC_MD5 1 -#endif - -#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1 -#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1 -#endif - -#ifndef CONFIG_IPSEC_DYNDEV -#define CONFIG_IPSEC_DYNDEV 1 -#endif - -#ifndef CONFIG_IPSEC_ENC_3DES -#define CONFIG_IPSEC_ENC_3DES 1 -#endif - -#ifndef CONFIG_IPSEC_ENC_AES -#define CONFIG_IPSEC_ENC_AES 1 -#endif - -#ifndef CONFIG_IPSEC_REGRESS -#define CONFIG_IPSEC_REGRESS 0 -#endif - -#ifndef CONFIG_IPSEC_NAT_TRAVERSAL -#define CONFIG_IPSEC_NAT_TRAVERSAL 1 -#endif - -#ifndef CONFIG_IPSEC_ALG -#define CONFIG_IPSEC_ALG 1 -#endif -#ifndef CONFIG_IPSEC_ALG_AES -#define CONFIG_IPSEC_ALG_AES 1 -#endif -#ifndef CONFIG_IPSEC_ALG_TWOFISH -#define CONFIG_IPSEC_ALG_TWOFISH 1 -#endif -#ifndef CONFIG_IPSEC_ALG_BLOWFISH -#define CONFIG_IPSEC_ALG_BLOWFISH 1 -#endif -#ifndef CONFIG_IPSEC_ALG_SERPENT -#define CONFIG_IPSEC_ALG_SERPENT 1 -#endif -#ifndef CONFIG_IPSEC_ALG_3DES -#define CONFIG_IPSEC_ALG_3DES 1 -#endif -#ifndef CONFIG_IPSEC_ALG_CAST -#define CONFIG_IPSEC_ALG_CAST 1 -#endif -#ifndef CONFIG_IPSEC_ALG_MD5 -#define CONFIG_IPSEC_ALG_MD5 1 -#endif -#ifndef CONFIG_IPSEC_ALG_NULL -#define CONFIG_IPSEC_ALG_NULL 1 -#endif -#ifndef CONFIG_IPSEC_ALG_SHA1 -#define CONFIG_IPSEC_ALG_SHA1 1 -#endif -#ifndef CONFIG_IPSEC_ALG_SHA2 -#define CONFIG_IPSEC_ALG_SHA2 1 -#endif - -#ifndef CONFIG_IPSEC_ALG_CRYPTOAPI -#define CONFIG_IPSEC_ALG_CRYPTOAPI 1 -#endif -#ifndef CONFIG_IPSEC_ALG_NON_LIBRE -#define CONFIG_IPSEC_ALG_NON_LIBRE 1 -#endif - -#endif /* _CONFIG_ALL_H */ diff --git a/debian/openswan-modules-source.rules b/debian/openswan-modules-source.rules deleted file mode 100755 index f31746de1..000000000 --- a/debian/openswan-modules-source.rules +++ /dev/null @@ -1,150 +0,0 @@ -#!/usr/bin/make -f -# Sample debian/rules that uses debhelper. -# GNU copyright 1997 to 1999 by Joey Hess. - -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 - -# This is the debhelper compatability version to use. -export DH_COMPAT=4 - -VERS = $(shell sed -ne '1s/.*(\(.*\)).*/\1/p' debian/changelog) - -# KSRC is the location of the kernel source. This is the default value, -# when make-kpkg is used it will supply to real value -KSRC = /usr/src/linux - -# KDREV is the package-revision, as given to make-kpkg by the user. -# Just put a simply default value in here which we use when we test -# the packagebuilding without make-kpkg -KDREV = "Custom.1.00" - -# Separate the epoch from the normal revision number in KDREV -# for use with dh_gencontrol -KDREV_EPOCH = $(shell echo $(KDREV) | sed -ne '1s/\([^:]*:\)\?\(.*\)/\1/p') -KDREV_REV = $(shell echo $(KDREV) | sed -ne '1s/\([^:]*:\)\?\(.*\)/\2/p') - -# Now we need to get the kernel-version somehow -KVERS=`sed -n -e '/UTS_RELEASE/s/^[^"]*"\([^"]*\)".*$$/\1/p' $(KSRC)/include/linux/version.h` - -SED_SCRIPT=s!\$$KVERS!$(KVERS)!g; \ - s!\$$KSRC!$(KSRC)!; \ - s!\$$KEMAIL!$(KEMAIL)!; \ - s!\$$KMAINT!$(KMAINT)!; \ - s!\$$KDREV!$(KDREV)!; \ - s!\$$DEBDATE!$(shell date +"%a, %d %b %Y %H:%M:%S %z")! - -ifeq ($(DEB_DEST),) -DEB_DEST=$(KSRC)/.. -endif - -# Clear root command if already root -ifeq ($(shell id -u),0) -ROOT_CMD= -endif - -# this primarily sets ARCH, we may be able to do that in another way -# but it also defines IPSECVERSION, which is needed below -include Makefile.inc - -debian/control: debian/control.in - sed -e "$(SED_SCRIPT)" debian/control.in > $@ - -.PHONY: debian/control - - -configure: configure-stamp -configure-stamp: - dh_testdir - # Add here commands to configure the package. - - touch configure-stamp - -build: debian/control configure-stamp build-stamp -build-stamp: - dh_testdir - - $(MAKE) module KERNELSRC=${KSRC} OPENSWANSRCDIR=$(CURDIR) - - touch build-stamp - -clean: - dh_testdir - dh_testroot - rm -f build-stamp configure-stamp - - $(MAKE) modclean KERNELSRC=${KSRC} OPENSWANSRCDIR=$(CURDIR) - - dh_clean - - rm -f debian/control - -MODDESTDIR=$(CURDIR)/debian/openswan-modules-$(KVERS)/lib/modules/$(KVERS)/kernel/net/ipsec -install: -install: build - dh_testdir - dh_testroot - dh_clean -k - dh_installdirs - - mkdir -p $(MODDESTDIR) - if [ -d modobj ]; then \ - cp modobj/ipsec.o $(MODDESTDIR); \ - cp modobj/ipsec_alg_*.o $(MODDESTDIR); \ - else \ - cp modobj26/ipsec.ko $(MODDESTDIR); \ - fi - - -# Build architecture-independent files here. -binary-indep: build install -# We have nothing to do by default. - -# Build architecture-dependent files here. -binary-arch: build install - dh_testdir - dh_testroot -# dh_installdebconf - dh_installdocs - dh_installexamples - dh_installmenu -# dh_installlogrotate -# dh_installemacsen -# dh_installpam -# dh_installmime -# dh_installinit - dh_installmodules - dh_installcron - dh_installman - dh_installinfo -# dh_undocumented - dh_installchangelogs - dh_link - dh_strip - dh_compress - dh_fixperms -# dh_makeshlibs - dh_installdeb -# dh_perl - dh_shlibdeps - dh_gencontrol -- -v$(KDREV_EPOCH)$(VERS)+$(KDREV_REV) - dh_md5sums - dh_builddeb --destdir=$(DEB_DEST) - -binary: binary-indep binary-arch -.PHONY: build clean binary-indep binary-arch binary install configure - -binary-modules: binary - - -kdist_image: - $(ROOT_CMD) $(MAKE) -f debian/rules binary-modules - $(ROOT_CMD) $(MAKE) -f debian/rules clean -kdist_clean: debian/control clean -kdist: - $(ROOT_CMD) $(MAKE) -f debian/rules binary-modules -kdist_configure: configure-stamp - - -.PHONY: binary-modules kdist_image - diff --git a/debian/openswan.config b/debian/openswan.config deleted file mode 100644 index e779a2ab1..000000000 --- a/debian/openswan.config +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh -e - -. /usr/share/debconf/confmodule - -db_input medium openswan/start_level || true - -db_input medium openswan/restart || true - -db_input high openswan/enable-oe || true - -db_input high openswan/create_rsa_key || true -db_go || true - -db_get openswan/create_rsa_key -if [ "$RET" = "true" ]; then - db_input high openswan/rsa_key_type || true - db_go || true - - db_get openswan/rsa_key_type - if [ "$RET" = "plain" ]; then - # create just a plain RSA keypair - db_input medium openswan/rsa_key_length || true - db_go || true - else - # extract the RSA keypair from a x509 certificate - db_input high openswan/existing_x509_certificate || true - db_go || true - - # create a new certificate - db_input medium openswan/rsa_key_length || true - db_input high openswan/x509_self_signed || true - # we can't allow the country code to be empty - openssl will - # refuse to create a certificate this way - countrycode="" - while [ -z "$countrycode" ]; do - db_input medium openswan/x509_country_code || true - db_go || true - db_get openswan/x509_country_code - countrycode="$RET" - done - db_input medium openswan/x509_state_name || true - db_input medium openswan/x509_locality_name || true - db_input medium openswan/x509_organization_name || true - db_input medium openswan/x509_organizational_unit || true - db_input medium openswan/x509_common_name || true - db_input medium openswan/x509_email_address || true - db_go || true - fi -else - db_get openswan/existing_x509_certificate - if [ "$RET" = "true" ]; then - # existing certificate - use it - db_input critical openswan/existing_x509_certificate_filename || true - db_input critical openswan/existing_x509_key_filename || true - db_go || true - fi -fi diff --git a/debian/openswan.dirs b/debian/openswan.dirs deleted file mode 100644 index 778085209..000000000 --- a/debian/openswan.dirs +++ /dev/null @@ -1,15 +0,0 @@ -/etc -/etc/ipsec.d -/etc/ipsec.d/cacerts -/etc/ipsec.d/ocspcerts -/etc/ipsec.d/crls -/etc/ipsec.d/private -/etc/ipsec.d/policies -/etc/init.d -/etc/logcheck/ignore.d.paranoid -/etc/logcheck/ignore.d.server -/etc/logcheck/ignore.d.workstation -/etc/logcheck/violations.ignore.d -/usr/bin -/usr/sbin -/var/lock/subsys diff --git a/debian/openswan.docs b/debian/openswan.docs deleted file mode 100644 index e206d4729..000000000 --- a/debian/openswan.docs +++ /dev/null @@ -1,5 +0,0 @@ -BUGS -README -CREDITS -doc/ -docs/ diff --git a/debian/openswan.postinst b/debian/openswan.postinst deleted file mode 100644 index 7d9b19b4b..000000000 --- a/debian/openswan.postinst +++ /dev/null @@ -1,258 +0,0 @@ -#! /bin/bash -# postinst script for openswan -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ -# -# quoting from the policy: -# Any necessary prompting should almost always be confined to the -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ -# -# quoting from the policy: -# Any necessary prompting should almost always be confined to the -# post-installation script, and should be protected with a conditional -# so that unnecessary prompting doesn't happen if a package's -# installation fails and the `postinst' is called with `abort-upgrade', -# `abort-remove' or `abort-deconfigure'. - -insert_private_key() { - cat <> /etc/ipsec.secrets -: RSA { -$1 - } -EOF -} - -insert_private_key_filename() { - if ! grep -q ": RSA $1" /etc/ipsec.secrets; then - echo ": RSA $1" >> /etc/ipsec.secrets - fi -} - -IPSEC_SECRETS_PATTERN_1=': RSA {' -IPSEC_SECRETS_PATTERN_2=' # yyy' -IPSEC_SECRETS_PATTERN_3=' }' -IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"' - -# remove old, misguided attempts at a default ipsec.secrets files -repair_legacy_secrets() { - if grep -A 2 "$IPSEC_SECRETS_PATTERN_1" /etc/ipsec.secrets | - tail --lines=2 | - grep -A 1 "$IPSEC_SECRETS_PATTERN_2" | - tail --lines=1 | - grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then - echo "Old default config file detected, removing the old defaults now." - umask 077 ; ( - # this is ugly, and someone maybe can formulate this in sed, but - # this was the quickest way for me - line=`grep -n "$IPSEC_SECRETS_PATTERN_2" /etc/ipsec.secrets | cut -d':' -f1` - until=`expr $line - 1` - head -n $until /etc/ipsec.secrets - sum=`wc -l /etc/ipsec.secrets | cut -d ' ' -f1` - from=`expr $sum - $line -1` - tail -n $from /etc/ipsec.secrets - ) > /etc/ipsec.secrets.tmp - mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets - grep -v "$IPSEC_SECRETS_PATTERN_4" /etc/ipsec.secrets > /etc/ipsec.secrets.tmp - mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets - fi -} - -make_x509_cert() { - if [ $# -ne 12 ]; then - echo "Error in creating X.509 certificate" - exit 1 - fi - - case $5 in - false) - certreq=$4.req - selfsigned="" - ;; - true) - certreq=$4 - selfsigned="-x509" - ;; - *) - echo "Error in creating X.509 certificate" - exit 1 - ;; - esac - - echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \ - /usr/bin/openssl req -new -outform PEM -out $certreq \ - -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \ - -days $2 $selfsigned >/dev/null -} - -. /usr/share/debconf/confmodule - -case "$1" in - configure) - db_get openswan/create_rsa_key - if [ "$RET" = "true" ]; then - repair_legacy_secrets - # OK, ipsec.secrets should now be correct - db_get openswan/rsa_key_type - if [ "$RET" = "plain" ]; then - # a RSA keypair should be created - check if there is one already - if egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then - echo "Warning: there is already a RSA key in /etc/ipsec.secrets." - echo "Creating an additional one." - fi - # create a plain openswan keypair - db_get openswan/rsa_key_length - umask 077 - keylength=$RET - privkey=`mktemp /tmp/ipsec-postinst.XXXXXX` - /usr/lib/ipsec/rsasigkey $keylength > $privkey - insert_private_key "`cat $privkey`" - rm $privkey - echo "Successfully created a plain openswan RSA keypair." - else - # extract the key from a (newly created) x509 certificate - host=`hostname` - newkeyfile="/etc/ipsec.d/private/${host}Key.pem" - newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # create a new certificate - db_get openswan/rsa_key_length - keylength=$RET - db_get openswan/x509_self_signed - selfsigned=$RET - db_get openswan/x509_country_code - countrycode=$RET - if [ -z "$countrycode" ]; then countrycode="."; fi - db_get openswan/x509_state_name - statename=$RET - if [ -z "$statename" ]; then statename="."; fi - db_get openswan/x509_locality_name - localityname=$RET - if [ -z "$localityname" ]; then localityname="."; fi - db_get openswan/x509_organization_name - orgname=$RET - if [ -z "$orgname" ]; then orgname="."; fi - db_get openswan/x509_organizational_unit - orgunit=$RET - if [ -z "$orgunit" ]; then orgunit="."; fi - db_get openswan/x509_common_name - commonname=$RET - if [ -z "$commonname" ]; then commonname="."; fi - db_get openswan/x509_email_address - email=$RET - if [ -z "$email" ]; then email="."; fi - make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" - chmod 0600 "$newkeyfile" - umask 077 - insert_private_key_filename "$newkeyfile" - echo "Successfully created x509 certificate." - fi - fi - else - db_get openswan/existing_x509_certificate - if [ "$RET" = "true" ]; then - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # existing certificate - use it - db_get openswan/existing_x509_certificate_filename - certfile=$RET - db_get openswan/existing_x509_key_filename - keyfile=$RET - if [ ! -r $certfile ] || [ ! -r $keyfile ]; then - echo "Either the certificate or the key file could not be read !" - else - cp "$certfile" /etc/ipsec.d/certs - umask 077 - cp "$keyfile" "/etc/ipsec.d/private" - newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" - chmod 0600 "$newkeyfile" - insert_private_key_filename "$newkeyfile" - echo "Successfully extracted RSA key from existing x509 certificate." - fi - fi - fi - fi - - # figure out the correct start time - db_get openswan/start_level - if [ "$RET" = "earliest" ]; then - LEVELS="start 41 S . stop 34 0 6 ." - elif [ "$RET" = "after NFS" ]; then - LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ." - else - LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ." - fi - update-rc.d ipsec $LEVELS > /dev/null - - db_get openswan/enable-oe - if [ "$RET" != "true" ]; then - echo -n "Disabling opportunistic encryption (OE) in config file ... " - if egrep -q "^include /etc/ipsec.d/examples/no_oe.conf$" /etc/ipsec.conf; then - echo "already disabled" - else - cat <> /etc/ipsec.conf -#Disable Opportunistic Encryption -include /etc/ipsec.d/examples/no_oe.conf -EOF - echo "done" - fi - else - echo -n "Enabling opportunistic encryption (OE) in config file ... " - if egrep -q "^include /etc/ipsec.d/examples/no_oe.conf$" /etc/ipsec.conf; then - sed 's/include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/no_oe.conf/' < /etc/ipsec.conf > /etc/ipsec.conf.tmp - mv /etc/ipsec.conf.tmp /etc/ipsec.conf - echo "done" - else - echo "already enabled" - fi - fi - - if [ -z "$2" ]; then - # no old configured version - start openswan now - invoke-rc.d ipsec start || true - else - # does the user wish openswan to restart? - db_get openswan/restart - if [ "$RET" = "true" ]; then - invoke-rc.d ipsec restart || true # sure, we'll restart it for you - fi - fi - - db_stop - - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument '$1'" >&2 - exit 0 - ;; -esac - -# dh_installdeb will replace this with shell code automatically - -#DEBHELPER# - -exit 0 diff --git a/debian/openswan.postrm b/debian/openswan.postrm deleted file mode 100644 index f5aa182f1..000000000 --- a/debian/openswan.postrm +++ /dev/null @@ -1,42 +0,0 @@ -#! /bin/sh -# postrm script for openswan -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `purge' -# * `upgrade' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# * `disappear' overwrit>r> -# for details, see /usr/share/doc/packaging-manual/ - -case "$1" in - purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - - # update the menu system -# if [ -x /usr/bin/update-menus ]; then update-menus; fi - - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 0 - -esac - -if [ "$1" = "purge" ] ; then - update-rc.d ipsec remove >/dev/null -fi - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - - diff --git a/debian/openswan.prerm b/debian/openswan.prerm deleted file mode 100644 index de804d5cb..000000000 --- a/debian/openswan.prerm +++ /dev/null @@ -1,40 +0,0 @@ -#! /bin/sh -# prerm script for openswan -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `upgrade' -# * `failed-upgrade' -# * `remove' `in-favour' -# * `deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ - -case "$1" in - upgrade) - ;; - remove|deconfigure) - /etc/init.d/ipsec stop || true -# install-info --quiet --remove /usr/info/openswan.info.gz - ;; - failed-upgrade) - ;; - *) - echo "prerm called with unknown argument \`$1'" >&2 - exit 0 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - - diff --git a/debian/openswan.templates b/debian/openswan.templates deleted file mode 100644 index 6f75e1ef4..000000000 --- a/debian/openswan.templates +++ /dev/null @@ -1,633 +0,0 @@ -Template: openswan/start_level -Type: select -Choices: earliest, "after NFS", "after PCMCIA" -Choices-fr: Le plus tôt possible, Après NFS, Après PCMCIA -Choices-ja: ²Äǽ¤Ê¸Â¤êÁ᤯, "NFS µ¯Æ°¸å", "PCMCIA µ¯Æ°¸å" -Choices-pt_BR: o quando antes, "depois do NFS", "depois do PCMCIA" -Default: earliest -Description: At which level do you wish to start Openswan ? - With the current Debian startup levels (nearly everything starting in - level 20), it is impossible for Openswan to always start at the correct - time. There are three possibilities when Openswan can start: before or - after the NFS services and after the PCMCIA services. The correct answer - depends on your specific setup. - . - If you do not have your /usr tree mounted via NFS (either you only mount - other, less vital trees via NFS or don't use NFS mounted trees at all) and - don't use a PCMCIA network card, then it is the best to start Openswan at - the earliest possible time, thus allowing the NFS mounts to be secured by - IPSec. In this case (or if you don't understand or care about this - issue), answer "earliest" to this question (the default). - . - If you have your /usr tree mounted via NFS and don't use a PCMCIA network - card, then you will need to start Openswan after NFS so that all - necessary files are available. In this case, answer "after NFS" to this - question. Please note that the NFS mount of /usr can not be secured by - IPSec in this case. - . - If you use a PCMCIA network card for your IPSec connections, then you only - have to choice to start it after the PCMCIA services. Answer "after - PCMCIA" in this case. This is also the correct answer if you want to fetch - keys from a locally running DNS server with DNSSec support. -Description-fr: Étape de lancement d'Openswan : - Avec les niveaux de démarrage actuellement utilisés par Debian (presque - tout démarre au niveau 20), il est impossible de faire en sorte - qu'Openswan démarre toujours au moment approprié. Il existe trois moments - où il est opportun de le démarrer : avant ou après les services NFS ou - après les services PCMCIA. La réponse appropriée dépend de vos réglages - spécifiques. - . - Si votre arborescence /usr n'est pas un montage NFS (soit parce que vos - montages NFS sont à d'autres endroits, moins critiques, soit parce que - vous n'utilisez pas du tout de montage NFS) et si vous n'utilisez pas de - carte réseau PCMCIA, il est préférable de démarrer Openswan le plus tôt - possible, ce qui permettra de sécuriser les montages NFS avec IPSec. Dans - ce cas (ou bien si vous ne comprenez pas l'objet de la question ou qu'elle - ne vous concerne pas), choisissez « le plus tôt possible », qui est le - choix par défaut. - . - Si /usr est un montage NFS et que vous n'utilisez pas de carte réseau - PCMCIA, vous devrez alors démarrer Openswan après les services NFS afin - que tous les fichiers nécessaires soient disponibles. Dans ce cas, - choisissez « après NFS ». Veuillez noter que le montage NFS de /usr n'est - alors pas sécurisé par IPSec. - . - Si vous utilisez une carte PCMCIA pour vos connexions IPSec, votre seul - choix possible est le démarrage après les services PCMCIA. Choisissez - alors « après PCMCIA ». Faites également ce choix si vous souhaitez - récupérer les clés d'authentification sur un serveur DNS reconnaissant - DNSSec. -Description-ja: ¤É¤ÎÃʳ¬¤Ç Openswan ¤òµ¯Æ°¤µ¤»¤Þ¤¹¤«? - ¸½ºß¤Î Debian ¤Ç¤Îµ¯Æ°¥ì¥Ù¥ë (¤Û¤È¤ó¤ÉÁ´¤Æ¤¬¥ì¥Ù¥ë20) ¤Î¤Þ¤Þ¤Ç¤Ï¡¢Openswan - ¤ò¾ï¤Ë¤ÏŬÀڤʥ¿¥¤¥ß¥ó¥°¤Çµ¯Æ°¤Ç¤­¤Þ¤»¤ó¡£Openswan - ¤òµ¯Æ°¤µ¤»¤ë¥¿¥¤¥ß¥ó¥°¤ÎÁªÂò»è¤È¤·¤Æ¤Ï3¤Ä¤¬¹Í¤¨¤é¤ì¤Þ¤¹: NFS - ¥µ¡¼¥Ó¥¹¤Î³«»ÏÁ°¡¦³«»Ï¸å¡¦PCMCIA - ¥µ¡¼¥Ó¥¹¤Î³«»Ï¸å¤Ç¤¹¡£Àµ²ò¤Ï¤¢¤Ê¤¿¤ÎÀßÄ꼡Âè¤Ç¤¹¡£ - . - NFS ·Ðͳ¤Ç /usr ¤ò¥Þ¥¦¥ó¥È¤»¤º - (¾¤Î¥Ñ¡¼¥Æ¥£¥·¥ç¥ó¤ä¤¢¤Þ¤ê½ÅÍפǤϤʤ¤¥Ñ¡¼¥Æ¥£¥·¥ç¥ó¤ò NFS - ·Ðͳ¤Ç¥Þ¥¦¥ó¥È¤¹¤ë¤«¡¢¤Þ¤¿¤Ï NFS ¥Þ¥¦¥ó¥È¤òÁ´¤¯»È¤ï¤Ê¤¤)¡¢²Ã¤¨¤Æ PCMCIA - ¥Í¥Ã¥È¥ï¡¼¥¯¥«¡¼¥É¤òÍøÍѤ·¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢²Äǽ¤Ê¸Â¤êÁᤤ»þ´Ö¤Ë Openswan - ¤òµ¯Æ°¤¹¤ë¤Î¤¬¥Ù¥¹¥È¤Ç¤¹¡£¤³¤ÎÀßÄê¤Ë¤è¤Ã¤Æ¡¢NFS ¤Ç¤Î¥Þ¥¦¥ó¥È¤Ï IPSec - ¤ÇÊݸ¤ì¤Þ¤¹¡£¤³¤Î¾ì¹ç - (¤Þ¤¿¤Ï¤³¤ÎÌäÂê¤òÍý²ò¤·¤Æ¤¤¤Ê¤¤¤«Æä˵¤¤Ë¤·¤Ê¤¤¾ì¹ç) - ¡¢"²Äǽ¤Ê¸Â¤êÁ᤯"¤È¼ÁÌä¤ËÅú¤¨¤Æ¤¯¤À¤µ¤¤ (ɸ½à) ¡£ - . - NFS ·Ðͳ¤Ç /usr ¤ò¥Þ¥¦¥ó¥È¤·¤Æ¤¤¤Æ PCMCIA - ¥Í¥Ã¥È¥ï¡¼¥¯¥«¡¼¥É¤ò»ÈÍѤ·¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï¡¢É¬Íפʥե¡¥¤¥ë¤òÍøÍѲÄǽ¤Ë¤¹¤ë¤¿¤á¤Ë - Openswan ¤ò NFS ¤Î¸å¤Çµ¯Æ°¤·¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£¤³¤Î¾ì¹ç¡¢"NFS µ¯Æ°¸å" - ¤ÈÅú¤¨¤Æ¤¯¤À¤µ¤¤¡£¤³¤Î»þ¤Ë NFS ·Ðͳ¤Ç¥Þ¥¦¥ó¥È¤µ¤ì¤ë /usr ¤Ï¡¢IPSec - ¤Ë¤è¤ë¥»¥­¥å¥¢¤Ê¾õÂ֤ˤϤʤé¤Ê¤¤¤È¤¤¤¦¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£ - . - IPSec Àܳ¤Ë PCMCIA ¥Í¥Ã¥È¥ï¡¼¥¯¥«¡¼¥É¤òÍøÍѤ·¤Æ¤¤¤¿¾ì¹ç¡¢PCMCIA - ¥µ¡¼¥Ó¥¹¤Îµ¯Æ°¸å¤Ë Openswan - ¤òµ¯Æ°¤¹¤ë°Ê³°¤ËÁªÂò¤Ï¤¢¤ê¤Þ¤»¤ó¡£¤³¤Î¾ì¹ç¡¢"PCMCIA µ¯Æ°¸å" - ¤ÈÅú¤¨¤Æ¤¯¤À¤µ¤¤¡£¥í¡¼¥«¥ë¤ÇÆ°ºî¤·¤Æ¤¤¤ë DNSSec µ¡Ç½¤ò»ÈÍѤ·¤Æ¤¤¤ë DNS - ¥µ¡¼¥Ð¤«¤é¸°¤ò¼èÆÀ¤·¤¿¤¤¾ì¹ç¤Ç¤â¡¢¤³¤ÎÅú¤¨¤ò¤·¤Æ¤¯¤À¤µ¤¤¡£ -Description-pt_BR: Em que nível você deseja iniciar o Openswan ? - Com os níveis de inicialização atuais do Debian (quase todos os serviços - iniciando no nível 20) é impossível para o Openswan sempre iniciar no - momento correto. Existem três possibilidades para quando iniciar o - Openswan : antes ou depois dos serviços NFS e depois dos serviços PCMCIA. - A resposta correta depende se sua configuração específica. - . - Caso você não possua sua àrvore /usr montada via NFS (você somente monta - outras àrvores não vitais via NFS ou não usa àrvores montadas via NFS) e - não use um cartão de rede PCMCIA, a melhor opção é iniciar o Openswan o - quando antes, permitindo dessa forma que os pontos de montagem NFS estejam - protegidos por IPSec. Nesse caso (ou caso você não compreenda ou não se - importe com esse problema), responda "o quando antes" para esta pergunta - (o que é o padrão). - . - Caso você possua sua àrvore /usr montada via NFS e não use um cartão de - rede PCMCIA, você precisará iniciar o Openswan depois do NFS de modo que - todos os arquivos necessários estejam disponíveis. Nesse caso, responda - "depois do NFS" para esta pergunta. Por favor, note que a montagem NFS de - /usr não poderá ser protegida pelo IPSec nesse caso. - . - Caso você use um cartão de rede PCMCIA para suas conexões IPSec você - precisará somente optar por iniciar o Opensan depois dos serviços PCMCIA. - Responda "depois do PCMCIA" nesse caso. Esta é também a maneira correta de - obter chaves de um servidor DNS sendo executado localmente e com suporte a - DNSSec. - -Template: openswan/restart -Type: boolean -Default: true -Description: Do you wish to restart Openswan? - Restarting Openswan is a good idea, since if there is a security fix, it - will not be fixed until the daemon restarts. Most people expect the daemon - to restart, so this is generally a good idea. However this might take down - existing connections and then bring them back up. -Description-fr: Souhaitez-vous redémarrer Openswan ? - Redémarrer Openswan est préférable car un éventuel correctif de sécurité - ne prendra place que si le démon est redémarré. La plupart des - utilisateurs s'attendent à ce que le démon redémarre et c'est donc le plus - souvent le meilleur choix. Cependant, cela pourrait interrompre - provisoirement des connexions en cours. -Description-ja: Openswan ¤òºÆµ¯Æ°¤·¤Þ¤¹¤«? - ¥»¥­¥å¥ê¥Æ¥£½¤Àµ¤¬¤¢¤Ã¤¿¾ì¹ç¤Ë¤Ï¥Ç¡¼¥â¥ó¤¬ºÆµ¯Æ°¤µ¤ì¤ë¤Þ¤Ç½¤Àµ¤¬È¿±Ç¤µ¤ì¤Þ¤»¤ó¡£¤½¤Î¤¿¤á¡¢Openswan - ¤òºÆµ¯Æ°¤¹¤ë¤Î¤ÏÎɤ¤¹Í¤¨¤Ç¤¹¡£¤Û¤È¤ó¤É¤Î¿Í¤Ï¥Ç¡¼¥â¥ó¤òºÆµ¯Æ°¤·¤è¤¦¤È¤·¤Þ¤¹¤¬¡¢¤³¤ì¤ÏÂçÄñÌäÂꤢ¤ê¤Þ¤»¤ó¡£¤·¤«¤·¡¢¤³¤Îºî¶È¤Ç¸½ºß¤ÎÀܳ¤ÏÀÚÃǤµ¤ì¡¢ºÆÅÙ·Ò¤®¤Ê¤ª¤¹¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£ -Description-pt_BR: Você deseja reiniciar o Openswan ? - Reiniciar o Openswan é uma boa idéia, uma vez que caso exista um correção - para uma falha de segurança, o mesmo não será corrigido até que o daemon - seja reiniciado. A maioria das pessoas esperam que o daemon seja - reiniciado, portanto essa é geralmente uma boa idéia. Porém, reiniciar o - Openswan pode derrubar conexões existentes, mas posteriormente trazê-las - de volta. - -Template: openswan/create_rsa_key -Type: boolean -Default: true -Description: Do you want to create a RSA public/private keypair for this host ? - This installer can automatically create a RSA public/private keypair for - this host. This keypair can be used to authenticate IPSec connections to - other hosts and is the preferred way for building up secure IPSec - connections. The other possibility would be to use shared secrets - (passwords that are the same on both sides of the tunnel) for - authenticating an connection, but for a larger number of connections RSA - authentication is easier to administrate and more secure. -Description-fr: Souhaitez-vous créer une paire de clés RSA publique et privée pour cet hôte ? - Cet outil d'installation peut créer automatiquement une paire de clés RSA - publique et privée pour cet hôte. Cette paire de clés peut servir à - authentifier des connexions IPSec vers d'autres hôtes. Cette méthode est - la méthode conseillée pour l'établissement de liaisons IPSec sûres. - L'autre possibilité d'authentification à la connexion est l'utilisation - d'un secret partagé (« pre-shared key » : des mots de passe identiques aux - deux extrémités du tunnel). Toutefois, pour de nombreuses connexions, - l'authentification RSA est plus simple à administrer et plus sûre. -Description-ja: ¤³¤Î¥Û¥¹¥È¤Î RSA ¸ø³«¸°¤ÈÈëÌ©¸°¤Î¥­¡¼¥Ú¥¢¤òÀ¸À®¤·¤Þ¤¹¤«? - ¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ï¤³¤Î¥Û¥¹¥È¤Î RSA - ¸ø³«¸°¤ÈÈëÌ©¸°¤Î¥­¡¼¥Ú¥¢¤ò¼«Æ°Åª¤ËÀ¸À®¤Ç¤­¤Þ¤¹¡£¤³¤Î¥­¡¼¥Ú¥¢¤Ï¾¤Î¥Û¥¹¥È¤È¤Î - IPSec ÄÌ¿®¤Ç¤Îǧ¾Ú¤ËÍøÍѲÄǽ¤Ç¡¢¥»¥­¥å¥¢¤Ê IPSec - ÄÌ¿®¤ò³ÎΩ¤¹¤ëÊýË¡¤È¤·¤Æ¹¥¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£Â¾¤ËÍøÍѲÄǽ¤ÊÊýË¡¤È¤·¤Æ¤Ï¶¦Ä̸° - (¥È¥ó¥Í¥ë¤ÎÁÐÊý¤ÇƱ¤¸¥Ñ¥¹¥ï¡¼¥É) - ¤òÄÌ¿®¤Îǧ¾Ú¤ËÍøÍѤ¹¤ë¤È¤¤¤¦¤Î¤¬¤¢¤ê¤Þ¤¹¤¬¡¢Â¿¿ô¤ÎÀܳ¤ËÂФ·¤Æ¤Ï¡¢RSA - ǧ¾Ú¤Î¤Û¤¦¤¬´ÉÍý¤¬¤è¤ê´Êñ¤Ç¡¢¤è¤ê¥»¥­¥å¥¢¤Ç¤¹¡£ -Description-pt_BR: Você deseja criar um par de chaves RSA pública/privada para este host ? - Este instalador pode automaticamente criar um par de chaves RSA - pública/privada para este host. Esse par de chaves pode ser usado para - autenticar conexões IPSec com outros hosts e é a maneira preferida de - construir conexões IPSec seguras. A outra possibilidade seria usar - segredos compartilhados (senhas que são iguais em ambos os lados do túnel) - para autenticar uma conexão, mas para um grande número de conexões RSA a - autenticação é mais fácil de administrar e mais segura. - -Template: openswan/rsa_key_type -Type: select -Choices: x509, plain -Choices-fr: X509, simple paire -Choices-ja: x509, Ä̾ï¤Î¥¿¥¤¥× -Choices-pt_BR: x509, pura -Default: x509 -Description: Which type of RSA keypair do you want to create ? - It is possible to create a plain RSA public/private keypair for the use - with Openswan or to create a X509 certificate file which contains the RSA - public key and additionally store the corresponding private key. - . - If you only want to build up IPSec connections to hosts also running - Openswan, it might be a bit easier using plain RSA keypairs. But if you - want to connect to other IPSec implementations, you will need a X509 - certificate. It is also possible to create a X509 certificate here and - extract the RSA public key in plain format if the other side runs - Openswan without X509 certificate support. - . - Therefore a X509 certificate is recommended since it is more flexible and - this installer should be able to hide the complex creation of the X509 - certificate and its use in Openswan anyway. -Description-fr: Type de paire de clés RSA à créer : - Il est possible de créer une simple paire de clés destinée à être utilisée - avec Openswan ou de créer un fichier de certificat X509 qui contient la - clé publique RSA et de conserver la clé privée correspondante par - ailleurs. - . - Si vous ne prévoyez d'établir des connexions IPSec qu'avec des hôtes - utilisant Openswan, il sera probablement plus facile d'utiliser des clés - RSA simples. Mais si vous souhaitez vous connecter à des hôtes utilisant - d'autres implémentations d'IPSec, vous aurez besoin d'un certificat X509. - Il est également possible de créer un certificat X509 puis d'en extraire - un simple clé publique RSA, si l'autre extrémité de la connexion utilise - Openswan sans le support des certificats X509. - . - En conséquence, il vous est conseillé d'utiliser un certificat X509 car - cette méthode est plus souple. Cet outil d'installation devrait vous - simplifier la tâche de création et d'utilisation de ce certificat X509. -Description-ja: ¤É¤Á¤é¤Î¥¿¥¤¥×¤Î RSA ¥­¡¼¥Ú¥¢¤òÀ¸À®¤·¤Þ¤¹¤«? - Openswan ¤ÇÍøÍѤ¹¤ëÄ̾ï¤Î RSA ¸ø³«¸°¡¦ÈëÌ©¸°¤Î¥­¡¼¥Ú¥¢¤òºî¤ì¤Þ¤¹¡£¤¢¤ë¤¤¤Ï - RSA ¸ø³«¸°¤ò (¤µ¤é¤Ë¤Ï¤½¤ì¤ËÂбþ¤¹¤ëÈëÌ©¸°¤â) ´Þ¤à X509 - ¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë¤âƱÍͤǤ¹¡£ - . - ´û¤Ë Openswan ¤òÆ°ºî¤µ¤»¤Æ¤¤¤ë¥Û¥¹¥È¤È IPSec - ÄÌ¿®¤ò³ÎΩ¤·¤¿¤¤¤À¤±¤Î¾ì¹ç¤Ï¡¢Ä̾ï¤Î RSA - ¥­¡¼¥Ú¥¢¤ò»ÈÍѤ¹¤ë¤È¿¾¯´Êñ¤Ë¤Ê¤ê¤Þ¤¹¡£¤·¤«¤·¡¢Â¾¤Î IPSec - ¼ÂÁõ¤È¤ÎÀܳ¤ò¹Ô¤¤¤¿¤¤¾ì¹ç¤Ï X509 - ¾ÚÌÀ½ñ¤¬É¬Íפˤʤê¤Þ¤¹¡£ÄÌ¿®¤ò¹Ô¤¦ÂоݤΥۥ¹¥È¤¬ Openswan ¤ò X509 - ¾ÚÌÀ½ñ¤Î¥µ¥Ý¡¼¥È̵¤·¤Ç±¿ÍѤ·¤Æ¤¤¤¿¾ì¹ç¡¢¤³¤³¤Ç X509 - ¾ÚÌÀ½ñ¤òÀ¸À®¤·¤Æ¡¢¸å¤Û¤É RSA ¸ø³«¸°¤òÄ̾ï¤Î·Á¼°¤ËŸ³«¤¹¤ë¤³¤È¤â²Äǽ¤Ç¤¹¡£ - . - ¤·¤¿¤¬¤Ã¤Æ X509 - ¾ÚÌÀ½ñ¤¬¤ª´«¤á¤Ç¤¹¡£¤³¤Á¤é¤Î¤Û¤¦¤¬½ÀÆð¤Ç¤¹¤·¡¢¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤ò»È¤¨¤Ð¡¢X509 - ¾ÚÌÀ½ñ¤ÎÀ¸À®¤ä Openswan ¤Ç¤ÎÍøÍѤ˺ݤ·¤Æ¤ÎÌÌÅݤµ¤ò±£Ê䷤Ƥ¯¤ì¤ë¤Ï¤º¤Ç¤¹¡£ -Description-pt_BR: Qual tipo de par de chaves RSA você deseja criar ? - É possível criar um par de chaves RSA pública/privada pura (plain) para - uso com o Openswan ou para criar um arquivo de certificado X509 que irá - conter a chave RSA pública e adicionalmente armazenar a chave privada - correspondente. - . - Caso você queira somente construir conexões IPsec para hosts e também - executar o Openswan, pode ser um pouco mais fácil usar pares de chaves RSA - puros (plain). Mas caso você queira se conectar a outras implementações - IPSec, você precisará de um certificado X509. É também possível criar um - certificado X509 aqui e extrair a chave pública em formato puro (plain) - caso o outro lado execute o Openswan sem suporte a certificados X509. - . - Um certificado X509 é recomendado, uma vez que o mesmo é mais flexível e - este instalador é capaz de simplificar a complexa criação do certificado - X509 e seu uso com o Openswan. - -Template: openswan/existing_x509_certificate -Type: boolean -Default: false -Description: Do you have an existing X509 certificate file that you want to use for Openswan ? - This installer can automatically extract the needed information from an - existing X509 certificate with a matching RSA private key. Both parts can - be in one file, if it is in PEM format. Do you have such an existing - certificate and key file and want to use it for authenticating IPSec - connections ? -Description-fr: Possédez-vous un fichier de certificat X509 existant àutiliser avec Openswan ? - Cet outil d'installation est capable d'extraire automatiquement - l'information nécessaire d'un fichier de certificat X509 existant, avec la - clé privée RSA correspondante. Les deux parties peuvent se trouver dans un - seul fichier, s'il est en format PEM. Possédez-vous un tel certificat - ainsi que la clé privée, et souhaitez-vous vous en servir pour - l'authentification des connexions IPSec ? -Description-ja: ´û¤Ë¸ºß¤·¤Æ¤¤¤ë X509 ¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë¤ò Openswan ¤ÇÍøÍѤ·¤Þ¤¹¤«? - ¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ï´û¤Ë¸ºß¤·¤Æ¤¤¤ë X509 ¾ÚÌÀ½ñ¤«¤é RSA - ÈëÌ©¸°¤È¾È¤é¤·¹ç¤ï¤»¤ÆɬÍפʾðÊó¤ò¼«Æ°Åª¤ËŸ³«¤¹¤ë»ö¤¬²Äǽ¤Ç¤¹¡£ PEM - ·Á¼°¤Î¾ì¹ç¡¢ÁÐÊý¤ò°ì¤Ä¤Î¥Õ¥¡¥¤¥ë¤Ë¤Þ¤È¤á¤ë¤³¤È¤â²Äǽ¤Ç¤¹¡£¤½¤Î¤è¤¦¤Ê¾ÚÌÀ½ñ¤È¸°¤Î¥Õ¥¡¥¤¥ë¤¬¤¢¤ê¡¢¤³¤ì¤é¤ò - IPSec ÄÌ¿®¤Ç¤Îǧ¾Ú¤Ë»ÈÍѤ·¤¿¤¤¤Ç¤¹¤«? -Description-pt_BR: Você possui um arquivo de certificado X509 existente que você gostaria de usar com o Openswan ? - Este instalador pode extrair automaticamente a informação necessária de um - certificado X509 existente com uma chave RSA privada adequada. Ambas as - partes podem estar em um arquivo, caso estejam no formato PEM. Você possui - um certificado existente e um arquivo de chave e quer usá-los para - autenticar conexões IPSec ? - -Template: openswan/existing_x509_certificate_filename -Type: string -Description: Please enter the location of your X509 certificate in PEM format. - Please enter the location of the file containing your X509 certificate in - PEM format. -Description-fr: Emplacement de votre certificat X509 au format PEM : - Veuillez indiquer l'emplacement du fichier contenant votre certificat X509 - au format PEM. -Description-ja: PEM ·Á¼°¤Î X509 ¾ÚÌÀ½ñ¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - PEM ·Á¼°¤Î X509 ¾ÚÌÀ½ñ¤ò´Þ¤ó¤Ç¤¤¤ë¥Õ¥¡¥¤¥ë¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ -Description-pt_BR: Por favor, informe a localização de seu certificado X509 no formato PEM. - Por favor, informe a localização do arquivo contendo seu certificado X509 - no formato PEM. - -Template: openswan/existing_x509_key_filename -Type: string -Description: Please enter the location of your X509 private key in PEM format. - Please enter the location of the file containing the private RSA key - matching your X509 certificate in PEM format. This can be the same file - that contains the X509 certificate. -Description-fr: Emplacement de votre clé privée X509 au format PEM : - Veuillez indiquer l'emplacement du fichier contenant la clé privée RSA - correspondant à votre certificat X509 au format PEM. Cela peut être le - fichier qui contient le certificat X509. -Description-ja: PEM ·Á¼°¤Î X509 ÈëÌ©¸°¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - PEM ·Á¼°¤Î X509 - ¾ÚÌÀ½ñ¤ËÂбþ¤¹¤ëÈëÌ©¸°¤ò´Þ¤ó¤Ç¤¤¤ë¥Õ¥¡¥¤¥ë¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï - X509 ¾ÚÌÀ½ñ¤ò´Þ¤ó¤Ç¤¤¤ë¥Õ¥¡¥¤¥ë¤ÈƱ¤¸¤Ç¹½¤¤¤Þ¤»¤ó¡£ -Description-pt_BR: Por favor, informe a localização de sua chave privada X509 no formato PEM. - Por favor, informe a localização do arquivo contendo a chave privada RSA - que casa com seu certificado X509 no formato PEM. Este pode ser o mesmo - arquivo que contém o certificado X509. - -Template: openswan/rsa_key_length -Type: string -Default: 2048 -Description: Which length should the created RSA key have ? - Please enter the length of the created RSA key. it should not be less than - 1024 bits because this should be considered unsecure and you will probably - not need anything more than 2048 bits because it only slows the - authentication process down and is not needed at the moment. -Description-fr: Longueur de la clé RSA à créer : - Veuillez indiquer la longueur de la clé RSA qui sera créée. Elle ne doit - pas être inférieure à 1024 bits car cela serait considéré comme - insuffisamment sûr. Un choix excédant 2048 bits est probablement inutile - car cela ne fait essentiellement que ralentir le processus - d'authentification sans avoir d'intérêt actuellement. -Description-ja: RSA ¸°¤ò¤É¤ÎŤµ¤ÇÀ¸À®¤·¤Þ¤¹¤«? - À¸À®¤¹¤ë RSA ¸°¤ÎŤµ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£°ÂÁ´¤Î¤¿¤á¡¢1024 - ¥Ó¥Ã¥È°Ê²¼¤Ë¤¹¤Ù¤­¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£2048 - ¥Ó¥Ã¥È°Ê¾å¤Ë¤¹¤ëɬÍפâ¤Ê¤¤¤Ç¤·¤ç¤¦¡£Ç§¾Ú¥×¥í¥»¥¹¤¬ÃÙ¤¯¤Ê¤ê¤Þ¤¹¤·¡¢¸½»þÅÀ¤Ç¤Ï¤ª¤½¤é¤¯É¬Íפ¢¤ê¤Þ¤»¤ó¡£ -Description-pt_BR: Qual deve ser o tamanho da chave RSA criada ? - Por favor, informe o tamanho da chave RSA a ser criada. A mesma não deve - ser menor que 1024 bits devido a uma chave de tamanho menor que esse ser - considerada insegura. Você também não precisará de nada maior que 2048 - porque isso somente deixaria o processo de autenticação mais lento e não - seria necessário no momento. - -Template: openswan/x509_self_signed -Type: boolean -Default: true -Description: Do you want to create a self-signed X509 certificate ? - This installer can only create self-signed X509 certificates - automatically, because otherwise a certificate authority is needed to sign - the certificate request. If you want to create a self-signed certificate, - you can use it immediately to connect to other IPSec hosts that support - X509 certificate for authentication of IPSec connections. However, if you - want to use the new PKI features of Openswan >= 1.91, you will need to - have all X509 certificates signed by a single certificate authority to - create a trust path. - . - If you do not want to create a self-signed certificate, then this - installer will only create the RSA private key and the certificate request - and you will have to sign the certificate request with your certificate - authority. -Description-fr: Souhaitez-vous créer un certificat X509 auto-signé ? - Cet outil d'installation ne peut créer automatiquement qu'un certificat - X509 auto-signé puisqu'une autorité de certification est indispensable - pour signer la demande de certificat. Si vous choisissez de créer un - certificat auto-signé, vous pourrez vous en servir immédiatement pour vous - connecter aux hôtes qui authentifient les connexions IPSec avec des - certificats X509. Cependant, si vous souhaitez utiliser les nouvelles - fonctionnalités PKI de Openswan >= 1.91, vous aurez besoin que tous les - certificats X509 soient signés par la même autorité de certification afin - de créer un chemin de confiance. - . - Si vous ne voulez pas créer de certificat auto-signé, cet outil - d'installation ne fera que créer la clé privée RSA et la demande de - certificat, que vous devrez ensuite signer avec votre autorité de - certification. -Description-ja: ¼«¸Ê½ð̾ X509 ¾ÚÌÀ½ñ¤òÀ¸À®¤·¤Þ¤¹¤«? - ¾ÚÌÀ½ñÍ×µá¤Ë½ð̾¤¹¤ë¤¿¤á¤Ë¤Ïǧ¾Ú¶É¤¬É¬ÍפȤʤë¤Î¤Ç¡¢¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ç¤Ï¼«¸Ê½ð̾ - X509 - ¾ÚÌÀ½ñ¤ò¼«Æ°Åª¤ËÀ¸À®¤¹¤ë»ö¤À¤±¤¬²Äǽ¤Ç¤¹¡£¼«¸Ê½ð̾¾ÚÌÀ½ñ¤òÀ¸À®¤·¤¿¤¤¾ì¹ç¡¢¤³¤ì¤ò»ÈÍѤ·¤Æ¤¹¤°¤Ë - X509 ¾ÚÌÀ½ñ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¾¤Î IPSec - ¥Û¥¹¥È¤ËÀܳ²Äǽ¤Ç¤¹¡£¤·¤«¤·¡¢Openswan ¥Ð¡¼¥¸¥ç¥ó 1.91 °Ê¾å¤Ç¤Î¿·¤·¤¤ PKI - µ¡Ç½¤ò»È¤¤¤¿¤¤¾ì¹ç¤Ï¡¢trust path - ¤òÀ¸À®¤¹¤ë¤¿¤á¤Ëñ°ì¤Îǧ¾Ú¶É¤Ë¤è¤Ã¤Æ¤¹¤Ù¤Æ¤Î X509 - ¾ÚÌÀ½ñ¤Ë½ð̾¤·¤Æ¤â¤é¤¦É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ - . - ¼«¸Ê½ð̾¾ÚÌÀ½ñ¤òÀ¸À®¤·¤¿¤¯¤Ê¤¤¾ì¹ç¡¢¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ï RSA - ÈëÌ©¸°¤È¾ÚÌÀ½ñÍ×µá¤Î¤ß¤òÀ¸À®¤·¤Þ¤¹¡£¤½¤·¤Æ¡¢Ç§¾Ú¶É¤Ë¾ÚÌÀ½ñÍ×µá¤Ø½ð̾¤ò¤·¤Æ¤â¤é¤¦É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ -Description-pt_BR: Deseja criar um certificado X509 auto-assinado ? - Este instalador pode criar automaticamente somente certificados X509 - auto-assinados, devido a uma autoridade certificadora ser necessária para - assinar a requisição de certificado. Caso você queira criar um certificado - auto-assinado, você poderá usá-lo imediatamente para conexão com outros - hosts IPSec que suportem certificados X509 para autenticação de conexões - IPSec. Porém, caso você queira usar os novos recursos PKI do Openswan - versão 1.91 ou superior, você precisará possuir todos seus certificados - X509 assinados por uma única autoridade certificadora para criar um - caminho de confiança. - . - Caso você não queira criar um certificado auto-assinado, este instalador - irá somente criar a chave privada RSA e a requisição de certificado e você - terá então que assinar a requisição de certificado junto a sua autoridade - certificadora. - -Template: openswan/x509_country_code -Type: string -Default: AT -Description: Please enter the country code for the X509 certificate request. - Please enter the 2 letter country code for your country. This code will be - placed in the certificate request. - . - You really need to enter a valid country code here, because openssl will - refuse to generate certificates without one. An empty field is allowed for - any other field of the X.509 certificate, but not for this one. - . - Example: AT -Description-fr: Code du pays : - Veuillez indiquer le code à deux lettres de votre pays. Ce code sera - inclus dans la demande de certificat. - . - Il est impératif de choisir ici un code de pays valide sinon OpenSSL - refusera de générer les certificats. Tous les autres champs d'un - certificat X.509 peuvent être vides, sauf celui-ci. - . - Exemple : FR -Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ë¹ñ¥³¡¼¥É¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - ¤¢¤Ê¤¿¤Î¹ñ¤Î¹ñ¥³¡¼¥É¤ò2ʸ»ú¤ÇÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤Î¥³¡¼¥É¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ - . - openssl - ¤¬¹ñ¥³¡¼¥É¤Ê¤·¤Ç¤Ï¾ÚÌÀ½ñ¤ÎÀ¸À®¤òµñÈݤ¹¤ë¤Î¤Ç¡¢Àµ¤·¤¤¹ñ¥³¡¼¥É¤ò¤³¤³¤ÇÆþÎϤ¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£X.509 - ¾ÚÌÀ½ñ¤Ç¤Ï¡¢Â¾¤Î¥Õ¥£¡¼¥ë¥É¤Ë¤Ä¤¤¤Æ¤Ï¶õ¤Ç¤â¹½¤¤¤Þ¤»¤ó¤¬¡¢¤³¤ì¤Ë¤Ä¤¤¤Æ¤Ïµö²Ä¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£ - . - Îã: JP -Description-pt_BR: Por favor, informe o código de país para a requisição de certificado X509. - Por favor, informe o códifo de país de duas letras para seu país. Esse - código será inserido na requisição de certificado. - . - Você realmente precisa informar um código de país válido aqui devido ao - openssl se recusar a gerar certificados sem um código de país válido. Um - campo em branco é permitido para qualquer outro campo do certificado - X.509, mas não para esse campo. - . - Exemplo: BR - -Template: openswan/x509_state_name -Type: string -Default: -Description: Please enter the state or province name for the X509 certificate request. - Please enter the full name of the state or province you live in. This name - will be placed in the certificate request. - . - Example: Upper Austria -Description-fr: État, province ou région : - Veuillez indiquer le nom complet de l'état, de la province ou de la région - où vous résidez. Ce nom sera inclus dans la demande de certificat. - . - Exemples : Rhône-Alpes, Brabant, Bouches du Rhône, Québec, Canton de Vaud -Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÅÔÆ»Éܸ©Ì¾¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - ¤¢¤Ê¤¿¤¬ºß½»¤·¤Æ¤¤¤ëÅÔÆ»Éܸ©¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ - . - Îã: Tokyo -Description-pt_BR: Por favor, informe o estado ou nome de província para a requisição de certificado X509. - Por favor, informe o nome complete do estado ou província em que você - mora. Esse nome será inserido na requisição de certificado. - . - Exemplo : Sao Paulo - -Template: openswan/x509_locality_name -Type: string -Default: -Description: Please enter the locality name for the X509 certificate request. - Please enter the locality (e.g. city) where you live. This name will be - placed in the certificate request. - . - Example: Vienna -Description-fr: Localité : - Veuillez indiquer la localité (p. ex. la ville) où vous résidez. Ce nom - sera inclus dans la demande de certificat. - . - Exemple : Saint-Étienne -Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÅÚÃϤÎ̾Á°¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - ¤¢¤Ê¤¿¤Îºß½»¤·¤Æ¤¤¤ëÃÏÊý¤Î̾Á° (Îã: »ÔĮ¼̾) - ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ - . - Îã: Shinjuku-ku -Description-pt_BR: Por favor, informe o nome da localidade para a requisição de certificado X509. - Por favor, informe a localidade (ou seja, cidade) onde você mora. Esse - nome será inserido na requisição de certificado. - . - Exemplo : Sao Paulo - -Template: openswan/x509_organization_name -Type: string -Default: -Description: Please enter the organization name for the X509 certificate request. - Please enter the organization (e.g. company) that the X509 certificate - should be created for. This name will be placed in the certificate - request. - . - Example: Debian -Description-fr: Organisme : - Veuillez indiquer l'organisme (p. ex. l'entreprise) pour qui sera créé le - certificat X509. Ce nom sera inclus dans la demande de certificat. - . - Exemple : Debian -Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÁÈ¿¥Ì¾¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - X509 ¾ÚÌÀ½ñ¤ÎÀ¸À®ÂоݤȤʤë¤Ù¤­ÁÈ¿¥ (Îã: ²ñ¼Ò) - ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ - . - Îã: Debian -Description-pt_BR: Por favor, informe o nome da organização para a requisição de certificado X509. - Por favor, informe a organização (ou seja, a empresa) para a qual este - certificado X509 deverá ser criado. Esse nome será inserido na requisição - de certificado. - . - Exemplo : Debian - -Template: openswan/x509_organizational_unit -Type: string -Default: -Description: Please enter the organizational unit for the X509 certificate request. - Please enter the organizational unit (e.g. section) that the X509 - certificate should be created for. This name will be placed in the - certificate request. - . - Example: security group -Description-fr: Unité d'organisation : - Veuillez indiquer l'unité d'organisation (p. ex. département, division, - etc.) pour qui sera créé le certificat X509. Ce nom sera inclus dans la - demande de certificat. - . - Exemple : Département Réseaux et Informatique Scientifique -Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÁÈ¿¥Ã±°Ì¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - X509 ¾ÚÌÀ½ñ¤ÎÀ¸À®ÂоݤȤʤë¤Ù¤­ÁÈ¿¥Ã±°Ì (Îã: Éô½ð̾) - ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ - . - Îã: security group -Description-pt_BR: Por favor, informe a unidade organizacional para a requisição de certificado X509. - Por favor, informe a unidade organizacional (ou seja, seção ou - departamento) para a qual este certificado deverá ser criado. Esse nome - será inserido na requisição de certificado. - . - Exemplo : Grupo de Segurança - -Template: openswan/x509_common_name -Type: string -Default: -Description: Please enter the common name for the X509 certificate request. - Please enter the common name (e.g. the host name of this machine) for - which the X509 certificate should be created for. This name will be placed - in the certificate request. - . - Example: gateway.debian.org -Description-fr: Nom ordinaire (« common name ») : - Veuillez indiquer le nom ordinaire (p. ex. le nom réseau de cette machine) - pour qui sera créé le certificat X509. Ce nom sera inclus dans la demande - de certificat. - . - Exemple : gateway.debian.org -Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ë¥³¥â¥ó¥Í¡¼¥à¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - X509 ¾ÚÌÀ½ñ¤ÎÀ¸À®ÂоݤȤʤë¤Ù¤­¥³¥â¥ó¥Í¡¼¥à (Îã: ¤³¤Î¥Þ¥·¥ó¤Î¥Û¥¹¥È̾) - ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ - . - Îã: gateway.debian.org -Description-pt_BR: Por favor, informe o nome comum para a requisição de certificado X509. - Por favor, informe o nome comum (ou seja, o nome do host dessa máquina) - para o qual o certificado X509 deverá ser criado. Esse nome será inserido - na requisição de certificado. - . - Exemplo : gateway.debian.org - -Template: openswan/x509_email_address -Type: string -Default: -Description: Please enter the email address for the X509 certificate request. - Please enter the email address of the person or organization who is - responsible for the X509 certificate, This address will be placed in the - certificate request. -Description-fr: Adresse électronique : - Veuillez indiquer l'adresse électronique de la personne ou de l'organisme - responsable du certificat X509. Cette adresse sera incluse dans la demande - de certificat. -Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ë¥á¡¼¥ë¥¢¥É¥ì¥¹¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ - X509 - ¾ÚÌÀ½ñ¤ÎÀÕǤ¼Ô¤È¤Ê¤ë¿Íʪ¡¦ÃÄÂΤΥ᡼¥ë¥¢¥É¥ì¥¹¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤Î¥¢¥É¥ì¥¹¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ -Description-pt_BR: Por favor, informe o endereço de e-mail para a requisição de certificado X509. - Por favor, informe o endereço de e-mail da pessoa ou organização - responsável pelo certificado X509. Esse endereço será inserido na - requisição de certificado. - -Template: openswan/enable-oe -Type: boolean -Default: false -Description: Do you wish to enable opportunistic encryption in Openswan? - Openswan comes with support for opportunistic encryption (OE), which stores - IPSec authentication information (i.e. RSA public keys) in (preferably - secure) DNS records. Until this is widely deployed, activating it will - cause a significant slow-down for every new, outgoing connection. Since - version 2.0, Openswan upstream comes with OE enabled by default and is thus - likely to break you existing connection to the Internet (i.e. your default - route) as soon as pluto (the Openswan keying daemon) is started. - . - Please choose whether you want to enable support for OE. If unsure, do not - enable it. -Description-fr: Souhaitez-vous activer le chiffrement opportuniste dansOpenswan ? - Openswan gère le chiffrement opportuniste (« opportunistic encryption » : - OE) qui permet de conserver les informations d'authentification IPSec - (c'est-à-dire les clés publiques RSA) dans des enregistrements DNS, de - préférence sécurisés. Tant que cette fonctionnalité ne sera pas déployée - largement, son activation provoquera un ralentissement significatif pour - toute nouvelle connexion sortante. À partir de la version 2.0, cette - fonctionnalité est activée par défaut dans Openswan, ce qui peut - interrompre le fonctionnement de votre connexion à l'Internet - (c'est-à-dire votre route par défaut) dès le démarrage de pluto, le démon - de gestion de clés d'Openswan. - . - Veuillez choisir si vous souhaitez activer la gestion du chiffrement - opportuniste. Ne l'activez pas si vous n'êtes pas certain d'en avoir - besoin. -Description-ja: Openswan ¤Ç opportunistic encryption ¤òÍ­¸ú¤Ë¤·¤Þ¤¹¤«? - Openswan ¤Ï¡¢IPSec ǧ¾Ú¾ðÊó (Îã: RSA ¸ø³«¸°) ¤ò (´ê¤ï¤¯¤Ï¥»¥­¥å¥¢¤Ê) DNS - ¥ì¥³¡¼¥ÉÆâ¤ËÊݸ¤¹¤ë opportunistic encryption (OE) - ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤Ï¹­¤¯ÍøÍѤµ¤ì¤ë¤è¤¦¤Ë¤Ê¤ë¤Þ¤Ç¡¢¤³¤ì¤òÍ­¸ú¤Ë¤¹¤ë¤³¤È¤ÇÁ´¤Æ¤Î³°Éô¤Ø¤Î¿·µ¬Àܳ¤Ï³ÊÃʤËÃÙ¤¯¤Ê¤ê¤Þ¤¹¡£¥Ð¡¼¥¸¥ç¥ó - 2.0 ¤è¤ê¡¢Openswan ¤Î³«È¯¸µ¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç OE ¤òÍ­¸ú¤Ë¤·¤Æ¤ª¤ê¡¢¤·¤¿¤¬¤Ã¤Æ - plute (Openswan ¸°½ð̾¥Ç¡¼¥â¥ó) - ¤¬³«»Ï¤µ¤ì¤ë¤Þ¤Ç¡¢¤¹¤Ç¤Ë¤¢¤ë¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤Ø¤ÎÀܳ - (¤Ä¤Þ¤ê¥Ç¥Õ¥©¥ë¥È¥ë¡¼¥È) ¤¬ÃæÃǤµ¤ì¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£ - . - OE - ¤Î¥µ¥Ý¡¼¥È¤òÍ­¸ú¤Ë¤¹¤ë¤«¤É¤¦¤«¤òÁª¤ó¤Ç¤¯¤À¤µ¤¤¡£¤è¤¯¤ï¤«¤é¤Ê¤¤¾ì¹ç¤Ï¡¢Í­¸ú¤Ë¤Ï¤·¤Ê¤¤¤Ç¤¯¤À¤µ¤¤¡£ -Description-pt_BR: Você deseja habilitar a encriptação oportunística no Openswan ? - O Openswan suporta encriptação oportunística (OE), a qual armazena - informações de autenticação IPSec (por exemplo, chaves públicas RSA) em - registros DNS (preferivelmente seguros). Até que esse suporte esteja - largamento sendo utilizado, ativá-lo irá causar uma signficante lentidão - para cada nova conexão de saída. Iniciando a partir da versão 2.0, o - Openswan, da forma como é distribuído pelos desenvolvedores oficiais, é - fornecido com o suporte a OE habilitado por padrão e, portanto, - provavelmente irá quebrar suas conexões existentes com a Internet (por - exemplo, sua rota padrão) tão logo o pluto (o daemon de troca de chaves do - Openswan) seja iniciado. - . - Por favor, informe se você deseja habilitar o suporte a OE. Em caso de - dúvidas, não habilite esse suporte. diff --git a/debian/openswan.templates.master b/debian/openswan.templates.master deleted file mode 100644 index f9c9e7e7f..000000000 --- a/debian/openswan.templates.master +++ /dev/null @@ -1,207 +0,0 @@ -Template: openswan/start_level -Type: select -_Choices: earliest, "after NFS", "after PCMCIA" -Default: earliest -_Description: At which level do you wish to start Openswan ? - With the current Debian startup levels (nearly everything starting in - level 20), it is impossible for Openswan to always start at the correct - time. There are three possibilities when Openswan can start: before or - after the NFS services and after the PCMCIA services. The correct answer - depends on your specific setup. - . - If you do not have your /usr tree mounted via NFS (either you only mount - other, less vital trees via NFS or don't use NFS mounted trees at all) and - don't use a PCMCIA network card, then it's best to start Openswan at - the earliest possible time, thus allowing the NFS mounts to be secured by - IPSec. In this case (or if you don't understand or care about this - issue), answer "earliest" to this question (the default). - . - If you have your /usr tree mounted via NFS and don't use a PCMCIA network - card, then you will need to start Openswan after NFS so that all - necessary files are available. In this case, answer "after NFS" to this - question. Please note that the NFS mount of /usr can not be secured by - IPSec in this case. - . - If you use a PCMCIA network card for your IPSec connections, then you only - have to choose to start it after the PCMCIA services. Answer "after - PCMCIA" in this case. This is also the correct answer if you want to fetch - keys from a locally running DNS server with DNSSec support. - -Template: openswan/restart -Type: boolean -Default: true -_Description: Do you wish to restart Openswan? - Restarting Openswan is a good idea, since if there is a security fix, it - will not be fixed until the daemon restarts. Most people expect the daemon - to restart, so this is generally a good idea. However this might take down - existing connections and then bring them back up. - -Template: openswan/create_rsa_key -Type: boolean -Default: true -_Description: Do you want to create a RSA public/private keypair for this host ? - This installer can automatically create a RSA public/private keypair for - this host. This keypair can be used to authenticate IPSec connections to - other hosts and is the preferred way for building up secure IPSec - connections. The other possibility would be to use shared secrets - (passwords that are the same on both sides of the tunnel) for - authenticating an connection, but for a larger number of connections RSA - authentication is easier to administer and more secure. - . - If you do not want to create a new public/private keypair, you can choose to - use an existing one. - -Template: openswan/rsa_key_type -Type: select -_Choices: x509, plain -Default: x509 -_Description: Which type of RSA keypair do you want to create ? - It is possible to create a plain RSA public/private keypair for use - with Openswan or to create a X509 certificate file which contains the RSA - public key and additionally stores the corresponding private key. - . - If you only want to build up IPSec connections to hosts also running - Openswan, it might be a bit easier using plain RSA keypairs. But if you - want to connect to other IPSec implementations, you will need a X509 - certificate. It is also possible to create a X509 certificate here and - extract the RSA public key in plain format if the other side runs - Openswan without X509 certificate support. - . - Therefore a X509 certificate is recommended since it is more flexible and - this installer should be able to hide the complex creation of the X509 - certificate and its use in Openswan anyway. - -Template: openswan/existing_x509_certificate -Type: boolean -Default: false -_Description: Do you have an existing X509 certificate file that you want to use for Openswan ? - This installer can automatically extract the needed information from an - existing X509 certificate with a matching RSA private key. Both parts can - be in one file, if it is in PEM format. Do you have such an existing - certificate and key file and want to use it for authenticating IPSec - connections ? - -Template: openswan/existing_x509_certificate_filename -Type: string -_Description: Please enter the location of your X509 certificate in PEM format. - Please enter the location of the file containing your X509 certificate in - PEM format. - -Template: openswan/existing_x509_key_filename -Type: string -_Description: Please enter the location of your X509 private key in PEM format. - Please enter the location of the file containing the private RSA key - matching your X509 certificate in PEM format. This can be the same file - that contains the X509 certificate. - -Template: openswan/rsa_key_length -Type: string -Default: 2048 -_Description: Which length should the created RSA key have ? - Please enter the length of the created RSA key. it should not be less than - 1024 bits because this should be considered unsecure and you will probably - not need anything more than 2048 bits because it only slows the - authentication process down and is not needed at the moment. - -Template: openswan/x509_self_signed -Type: boolean -Default: true -_Description: Do you want to create a self-signed X509 certificate ? - This installer can only create self-signed X509 certificates - automatically, because otherwise a certificate authority is needed to sign - the certificate request. If you want to create a self-signed certificate, - you can use it immediately to connect to other IPSec hosts that support - X509 certificate for authentication of IPSec connections. However, if you - want to use the new PKI features of Openswan >= 1.91, you will need to - have all X509 certificates signed by a single certificate authority to - create a trust path. - . - If you do not want to create a self-signed certificate, then this - installer will only create the RSA private key and the certificate request - and you will have to sign the certificate request with your certificate - authority. - -Template: openswan/x509_country_code -Type: string -Default: AT -_Description: Please enter the country code for the X509 certificate request. - Please enter the 2 letter country code for your country. This code will be - placed in the certificate request. - . - You really need to enter a valid country code here, because openssl will - refuse to generate certificates without one. An empty field is allowed for - any other field of the X.509 certificate, but not for this one. - . - Example: AT - -Template: openswan/x509_state_name -Type: string -Default: -_Description: Please enter the state or province name for the X509 certificate request. - Please enter the full name of the state or province you live in. This name - will be placed in the certificate request. - . - Example: Upper Austria - -Template: openswan/x509_locality_name -Type: string -Default: -_Description: Please enter the locality name for the X509 certificate request. - Please enter the locality (e.g. city) where you live. This name will be - placed in the certificate request. - . - Example: Vienna - -Template: openswan/x509_organization_name -Type: string -Default: -_Description: Please enter the organization name for the X509 certificate request. - Please enter the organization (e.g. company) that the X509 certificate - should be created for. This name will be placed in the certificate - request. - . - Example: Debian - -Template: openswan/x509_organizational_unit -Type: string -Default: -_Description: Please enter the organizational unit for the X509 certificate request. - Please enter the organizational unit (e.g. section) that the X509 - certificate should be created for. This name will be placed in the - certificate request. - . - Example: security group - -Template: openswan/x509_common_name -Type: string -Default: -_Description: Please enter the common name for the X509 certificate request. - Please enter the common name (e.g. the host name of this machine) for - which the X509 certificate should be created for. This name will be placed - in the certificate request. - . - Example: gateway.debian.org - -Template: openswan/x509_email_address -Type: string -Default: -_Description: Please enter the email address for the X509 certificate request. - Please enter the email address of the person or organization who is - responsible for the X509 certificate, This address will be placed in the - certificate request. - -Template: openswan/enable-oe -Type: boolean -Default: false -_Description: Do you wish to enable opportunistic encryption in Openswan? - Openswan comes with support for opportunistic encryption (OE), which stores - IPSec authentication information (i.e. RSA public keys) in (preferably - secure) DNS records. Until this is widely deployed, activating it will - cause a significant slow-down for every new, outgoing connection. Since - version 2.0, Openswan upstream comes with OE enabled by default and is thus - likely to break your existing connection to the Internet (i.e. your default - route) as soon as pluto (the Openswan keying daemon) is started. - . - Please choose whether you want to enable support for OE. If unsure, do not - enable it. - diff --git a/debian/rules b/debian/rules index b57711f7a..d0e1090ac 100755 --- a/debian/rules +++ b/debian/rules @@ -72,12 +72,12 @@ clean: unpatch -find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm -find $(CURDIR)/lib/libcrypto -name "*.a" | xargs --no-run-if-empty rm - rm -rf debian/openswan-modules-source-build/ + rm -rf debian/strongswan-modules-source-build/ # Really clean (#356716) # This is a hack: should be better implemented - rm -f lib/libopenswan/libopenswan.a || true - rm -f lib/libopenswan/liboswlog.a || true + rm -f lib/libstrongswan/libstrongswan.a || true + rm -f lib/libstrongswan/liboswlog.a || true # just in case something went wrong rm -f $(CURDIR)/debian/ipsec.secrets @@ -92,12 +92,12 @@ ifeq ($(PO2DEBCONF),yes) # 4.1.16) depends on it), the binary-arch target will generate a # better version for sarge. echo 1 > debian/po/output - po2debconf debian/openswan.templates.master > debian/openswan.templates + po2debconf debian/strongswan.templates.master > debian/strongswan.templates rm -f debian/po/output endif -install-openswan: DH_OPTIONS=-a -install-openswan: build +install-strongswan: DH_OPTIONS=-a +install-strongswan: build dh_testdir dh_testroot dh_clean -k @@ -107,30 +107,30 @@ install-openswan: build $(MAKE) install INC_USRLOCAL=/usr \ FINALBINDIR=/usr/lib/ipsec \ FINALLIBEXECDIR=/usr/lib/ipsec \ - PUBDIR=$(CURDIR)/debian/openswan/usr/sbin \ - MANTREE=$(CURDIR)/debian/openswan/usr/share/man \ - DESTDIR=$(CURDIR)/debian/openswan - rm -rf $(CURDIR)/debian/openswan/usr/local - install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/openswan/etc/ipsec.secrets + PUBDIR=$(CURDIR)/debian/strongswan/usr/sbin \ + MANTREE=$(CURDIR)/debian/strongswan/usr/share/man \ + DESTDIR=$(CURDIR)/debian/strongswan + rm -rf $(CURDIR)/debian/strongswan/usr/local + install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan/etc/ipsec.secrets # use bash for init.d and _plutorun - patch $(CURDIR)/debian/openswan/etc/init.d/ipsec < debian/use-bash.diff - patch $(CURDIR)/debian/openswan/usr/lib/ipsec/_plutorun < debian/use-bash.diff + patch $(CURDIR)/debian/strongswan/etc/init.d/ipsec < debian/use-bash.diff + patch $(CURDIR)/debian/strongswan/usr/lib/ipsec/_plutorun < debian/use-bash.diff # install the fswcert tool - install $(CURDIR)/programs/fswcert/fswcert $(CURDIR)/debian/openswan/usr/bin - install $(CURDIR)/programs/fswcert/fswcert.8 $(CURDIR)/debian/openswan/usr/share/man/man8 + install $(CURDIR)/programs/fswcert/fswcert $(CURDIR)/debian/strongswan/usr/bin + install $(CURDIR)/programs/fswcert/fswcert.8 $(CURDIR)/debian/strongswan/usr/share/man/man8 - rm -f $(CURDIR)/debian/openswan/etc/init.d/ipsec?* - rm -f $(CURDIR)/debian/openswan/usr/lib/ipsec/_plutorun?* + rm -f $(CURDIR)/debian/strongswan/etc/init.d/ipsec?* + rm -f $(CURDIR)/debian/strongswan/usr/lib/ipsec/_plutorun?* # this is handled by update-rc.d - rm -rf $(CURDIR)/debian/openswan/etc/rc?.d + rm -rf $(CURDIR)/debian/strongswan/etc/rc?.d - dh_installdocs -popenswan -n + dh_installdocs -pstrongswan -n # change the paths in the installed doc files (but only in regular # files, not in links to the outside of the build tree !) - ( cd $(CURDIR)/debian/openswan/; \ + ( cd $(CURDIR)/debian/strongswan/; \ for f in `grep "/usr/local/" --recursive --files-with-match *`; \ do \ if [ -f $$f -a ! -L $$f ]; then \ @@ -140,132 +140,132 @@ install-openswan: build fi; \ done ) # but remove the doc/src dir, which just duplicates the HTML files - rm -rf $(CURDIR)/debian/openswan/usr/share/doc/openswan/doc/src + rm -rf $(CURDIR)/debian/strongswan/usr/share/doc/strongswan/doc/src # and the index file in the main doc directory - it's replicated under # doc/ - rm -f $(CURDIR)/debian/openswan/usr/share/doc/openswan/index.html + rm -f $(CURDIR)/debian/strongswan/usr/share/doc/strongswan/index.html # the logcheck ignore files - install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.paranoid $(CURDIR)/debian/openswan/etc/logcheck/ignore.d.paranoid/openswan - install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/openswan/etc/logcheck/ignore.d.server/openswan - install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/openswan/etc/logcheck/ignore.d.workstation/openswan - install -D --mode=0600 $(CURDIR)/debian/logcheck.violations.ignore $(CURDIR)/debian/openswan/etc/logcheck/violations.ignore.d/openswan + install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.paranoid $(CURDIR)/debian/strongswan/etc/logcheck/ignore.d.paranoid/strongswan + install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/strongswan/etc/logcheck/ignore.d.server/strongswan + install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/strongswan/etc/logcheck/ignore.d.workstation/strongswan + install -D --mode=0600 $(CURDIR)/debian/logcheck.violations.ignore $(CURDIR)/debian/strongswan/etc/logcheck/violations.ignore.d/strongswan # set permissions on ipsec.secrets - chmod 600 $(CURDIR)/debian/openswan/etc/ipsec.secrets - chmod 644 $(CURDIR)/debian/openswan/etc/ipsec.conf - chmod 700 -R $(CURDIR)/debian/openswan/etc/ipsec.d/private/ + chmod 600 $(CURDIR)/debian/strongswan/etc/ipsec.secrets + chmod 644 $(CURDIR)/debian/strongswan/etc/ipsec.conf + chmod 700 -R $(CURDIR)/debian/strongswan/etc/ipsec.d/private/ # don't know why they come with +x set by default... - chmod 644 $(CURDIR)/debian/openswan/etc/ipsec.d/policies/* - chmod 644 $(CURDIR)/debian/openswan/etc/ipsec.d/examples/* + chmod 644 $(CURDIR)/debian/strongswan/etc/ipsec.d/policies/* + chmod 644 $(CURDIR)/debian/strongswan/etc/ipsec.d/examples/* # more lintian cleanups - find $(CURDIR)/debian/openswan -name ".cvsignore" | xargs --no-run-if-empty rm -f - find $(CURDIR)/debian/openswan -name "/.svn/" | xargs --no-run-if-empty rm -rf + find $(CURDIR)/debian/strongswan -name ".cvsignore" | xargs --no-run-if-empty rm -f + find $(CURDIR)/debian/strongswan -name "/.svn/" | xargs --no-run-if-empty rm -rf -install-openswan-modules-source: DH_OPTIONS=-i -install-openswan-modules-source: PKGDIR=$(CURDIR)/debian/openswan-modules-source -install-openswan-modules-source: BUILDDIR=$(CURDIR)/debian/openswan-modules-source-build -install-openswan-modules-source: patch +install-strongswan-modules-source: DH_OPTIONS=-i +install-strongswan-modules-source: PKGDIR=$(CURDIR)/debian/strongswan-modules-source +install-strongswan-modules-source: BUILDDIR=$(CURDIR)/debian/strongswan-modules-source-build +install-strongswan-modules-source: patch dh_testdir dh_testroot dh_installdirs - mkdir -p "$(BUILDDIR)/modules/openswan" - mkdir -p "$(BUILDDIR)/modules/openswan/lib" - mkdir -p "$(BUILDDIR)/modules/openswan/debian" - mkdir -p "$(BUILDDIR)/modules/openswan/packaging" + mkdir -p "$(BUILDDIR)/modules/strongswan" + mkdir -p "$(BUILDDIR)/modules/strongswan/lib" + mkdir -p "$(BUILDDIR)/modules/strongswan/debian" + mkdir -p "$(BUILDDIR)/modules/strongswan/packaging" cp -r Makefile Makefile.top Makefile.inc Makefile.ver linux/ \ - "$(BUILDDIR)/modules/openswan" - cp -r lib/libcrypto "$(BUILDDIR)/modules/openswan/lib/" + "$(BUILDDIR)/modules/strongswan" + cp -r lib/libcrypto "$(BUILDDIR)/modules/strongswan/lib/" cp -r packaging/makefiles packaging/linus packaging/defaults/ \ - "$(BUILDDIR)/modules/openswan/packaging/" - find "$(BUILDDIR)/modules/openswan/lib/" -name "*.o" | xargs --no-run-if-empty rm - install --mode=644 debian/openswan-modules-source.kernel-config "$(BUILDDIR)/modules/openswan/config-all.h" - install --mode=755 debian/openswan-modules-source.rules "$(BUILDDIR)/modules/openswan/debian/rules" - install --mode=644 debian/openswan-modules-source.control.in "$(BUILDDIR)/modules/openswan/debian/control.in" - install --mode=644 debian/changelog "$(BUILDDIR)/modules/openswan/debian/" + "$(BUILDDIR)/modules/strongswan/packaging/" + find "$(BUILDDIR)/modules/strongswan/lib/" -name "*.o" | xargs --no-run-if-empty rm + install --mode=644 debian/strongswan-modules-source.kernel-config "$(BUILDDIR)/modules/strongswan/config-all.h" + install --mode=755 debian/strongswan-modules-source.rules "$(BUILDDIR)/modules/strongswan/debian/rules" + install --mode=644 debian/strongswan-modules-source.control.in "$(BUILDDIR)/modules/strongswan/debian/control.in" + install --mode=644 debian/changelog "$(BUILDDIR)/modules/strongswan/debian/" # This creates the NAT-T patches that can be used on the kernel tree - # even with openswan-modules-source. - make nattpatch2.4 > $(BUILDDIR)/modules/openswan/debian/nat-t-2.4.diff - make nattpatch2.6 > $(BUILDDIR)/modules/openswan/debian/nat-t-2.6.diff + # even with strongswan-modules-source. + make nattpatch2.4 > $(BUILDDIR)/modules/strongswan/debian/nat-t-2.4.diff + make nattpatch2.6 > $(BUILDDIR)/modules/strongswan/debian/nat-t-2.6.diff tar -C $(BUILDDIR) -c modules/ | bzip2 -9 > \ - "$(PKGDIR)/usr/src/openswan-modules.tar.bz2" + "$(PKGDIR)/usr/src/strongswan-modules.tar.bz2" - dh_installdocs -popenswan-modules-source -n + dh_installdocs -pstrongswan-modules-source -n # more lintian cleanups - find $(CURDIR)/debian/openswan-modules-source -name ".cvsignore" | xargs --no-run-if-empty rm -f + find $(CURDIR)/debian/strongswan-modules-source -name ".cvsignore" | xargs --no-run-if-empty rm -f find $(PKGDIR) -name "/.svn/" | xargs --no-run-if-empty rm -rf -install-linux-patch-openswan: DH_OPTIONS=-i -install-linux-patch-openswan: PKGDIR=$(CURDIR)/debian/linux-patch-openswan -install-linux-patch-openswan: patch +install-linux-patch-strongswan: DH_OPTIONS=-i +install-linux-patch-strongswan: PKGDIR=$(CURDIR)/debian/linux-patch-strongswan +install-linux-patch-strongswan: patch dh_testdir dh_testroot dh_installdirs # some of this has been taken from Tommi Virtanen's package - install --mode=0755 debian/linux-patch-openswan.apply \ - "$(PKGDIR)/usr/src/kernel-patches/all/apply/openswan" - install --mode=0755 debian/linux-patch-openswan.unpatch \ - "$(PKGDIR)/usr/src/kernel-patches/all/unpatch/openswan" + install --mode=0755 debian/linux-patch-strongswan.apply \ + "$(PKGDIR)/usr/src/kernel-patches/all/apply/strongswan" + install --mode=0755 debian/linux-patch-strongswan.unpatch \ + "$(PKGDIR)/usr/src/kernel-patches/all/unpatch/strongswan" install --mode=0755 packaging/utils/patcher \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan" + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan" cp -r Makefile Makefile.inc Makefile.ver Makefile.top lib/ linux/ \ packaging/ nat-t/ \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan" + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan" # also don't generate the out.kpatch file under /usr/src/.... sed 's/>>out.kpatch//' \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile" \ - > "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile.tmp" - mv "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile.tmp" \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile" + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile" \ + > "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile.tmp" + mv "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile.tmp" \ + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile" sed 's/>out.kpatch//' \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile" \ - > "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile.tmp" - mv "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile.tmp" \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile" + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile" \ + > "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile.tmp" + mv "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile.tmp" \ + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile" sed 's/rm -f out.kpatch//' \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile" \ - > "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile.tmp" - mv "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile.tmp" \ - "$(PKGDIR)/usr/src/kernel-patches/all/openswan/Makefile" - chmod u=rwX,go=rX "$(PKGDIR)/usr/src/kernel-patches/all/openswan" + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile" \ + > "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile.tmp" + mv "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile.tmp" \ + "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/Makefile" + chmod u=rwX,go=rX "$(PKGDIR)/usr/src/kernel-patches/all/strongswan" # remove extra junk not needed on linux / that lintian would complain about - find "$(PKGDIR)/usr/src/kernel-patches/all/openswan" \ + find "$(PKGDIR)/usr/src/kernel-patches/all/strongswan" \ -name '*.o' -print0 | xargs --no-run-if-empty -0 rm -f - find "$(PKGDIR)/usr/src/kernel-patches/all/openswan" \ + find "$(PKGDIR)/usr/src/kernel-patches/all/strongswan" \ -name '*.a' -print0 | xargs --no-run-if-empty -0 rm -f - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/lib/libopenswan/" - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/lib/libdes/" - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/lib/liblwres/" - rm -f "$(PKGDIR)/usr/src/kernel-patches/all/openswan/lib/COPYING.LIB" - rm -f "$(PKGDIR)/usr/src/kernel-patches/all/openswan/lib/README" - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/linus" - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/ipkg" - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/makefiles" - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/redhat" - rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/suse" - rm -r "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/utils/disttools.pl" - rm -r "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/utils/kernel.patch.gen.sh" - rm -r "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/utils/sshenv" - rm -r "$(PKGDIR)/usr/src/kernel-patches/all/openswan/packaging/utils/setup" - find "$(PKGDIR)/usr/src/kernel-patches/all/openswan/linux/net/ipsec/des/asm/" \ + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/lib/libstrongswan/" + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/lib/libdes/" + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/lib/liblwres/" + rm -f "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/lib/COPYING.LIB" + rm -f "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/lib/README" + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/linus" + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/ipkg" + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/makefiles" + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/redhat" + rm -rf "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/suse" + rm -r "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/utils/disttools.pl" + rm -r "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/utils/kernel.patch.gen.sh" + rm -r "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/utils/sshenv" + rm -r "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/packaging/utils/setup" + find "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/linux/net/ipsec/des/asm/" \ -name '*.pl' -print0 | xargs --no-run-if-empty -0 \ perl -pi -e 's{^#!/usr/local/bin/perl}{#!/usr/bin/perl}g' - find "$(PKGDIR)/usr/src/kernel-patches/all/openswan/lib/libcrypto/" \ + find "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/lib/libcrypto/" \ -name '*.pl' -print0 | xargs --no-run-if-empty -0 \ perl -pi -e 's{^#!/usr/local/bin/perl}{#!/usr/bin/perl}g' - find "$(PKGDIR)/usr/src/kernel-patches/all/openswan/linux/net/ipsec/des/asm/" \ + find "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/linux/net/ipsec/des/asm/" \ -name '*.pl' -print0 | xargs --no-run-if-empty -0 chmod a+x - find "$(PKGDIR)/usr/src/kernel-patches/all/openswan/lib/libcrypto/" \ + find "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/lib/libcrypto/" \ -name '*.pl' -print0 | xargs --no-run-if-empty -0 chmod a+x - find "$(PKGDIR)/usr/src/kernel-patches/all/openswan/linux/net/ipsec/alg/scripts/" \ + find "$(PKGDIR)/usr/src/kernel-patches/all/strongswan/linux/net/ipsec/alg/scripts/" \ -name '*.sh' -print0 | xargs --no-run-if-empty -0 chmod a+x - chmod -R u=rwX,go=rX "$(PKGDIR)/usr/src/kernel-patches/all/openswan" + chmod -R u=rwX,go=rX "$(PKGDIR)/usr/src/kernel-patches/all/strongswan" - dh_installdocs -plinux-patch-openswan -n + dh_installdocs -plinux-patch-strongswan -n # more lintian cleanups find $(PKGDIR) -name ".cvsignore" | xargs --no-run-if-empty rm -f @@ -291,11 +291,11 @@ binary-common: dh_builddeb # Build architecture-independent files here. -binary-indep: install-openswan-modules-source install-linux-patch-openswan +binary-indep: install-strongswan-modules-source install-linux-patch-strongswan $(MAKE) -f debian/rules DH_OPTIONS=-i binary-common # Build architecture-dependent files here. -binary-arch: install-openswan +binary-arch: install-strongswan $(MAKE) -f debian/rules DH_OPTIONS=-a binary-common # Any other binary targets build just one binary package at a time. diff --git a/debian/strongswan-modules-source.control.in b/debian/strongswan-modules-source.control.in new file mode 100644 index 000000000..7e5aa5307 --- /dev/null +++ b/debian/strongswan-modules-source.control.in @@ -0,0 +1,13 @@ +Section: net +Priority: optional +Maintainer: $KMAINT <$KEMAIL> +Build-Depends: debhelper (>= 4) +Standards-Version: 3.6.0 +Source: openswan + +Package: openswan-modules-$KVERS +Architecture: any +Recommends: kernel-image-$KVERS (= $KDREV) +Description: IPSEC kernel modules for Openswan (binary kernel modules) + This package contains the openswan binary kernel modules for linux + version $KVERS. diff --git a/debian/strongswan-modules-source.dirs b/debian/strongswan-modules-source.dirs new file mode 100644 index 000000000..531fa90c3 --- /dev/null +++ b/debian/strongswan-modules-source.dirs @@ -0,0 +1 @@ +/usr/src/ diff --git a/debian/strongswan-modules-source.docs b/debian/strongswan-modules-source.docs new file mode 100644 index 000000000..e61535265 --- /dev/null +++ b/debian/strongswan-modules-source.docs @@ -0,0 +1,2 @@ +CREDITS +debian/README.Debian diff --git a/debian/strongswan-modules-source.kernel-config b/debian/strongswan-modules-source.kernel-config new file mode 100644 index 000000000..16727d166 --- /dev/null +++ b/debian/strongswan-modules-source.kernel-config @@ -0,0 +1,110 @@ +#ifndef _CONFIG_ALL_H_ +/* + * Copyright (C) 2002 Michael Richardson + * + * This kernel module is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This kernel module is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public + * License for more details. + * + * RCSID $Id: openswan-modules-source.kernel-config,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $ + */ +#define _CONFIG_ALL_H_ /* seen it, no need to see it again */ + +#define CONFIG_IPSEC 1 + +#ifndef CONFIG_IPSEC_AH +#define CONFIG_IPSEC_AH 1 +#endif + +#ifndef CONFIG_IPSEC_DEBUG +#define CONFIG_IPSEC_DEBUG 1 +#endif + +#ifndef CONFIG_IPSEC_ESP +#define CONFIG_IPSEC_ESP 1 +#endif + +#ifndef CONFIG_IPSEC_IPCOMP +#define CONFIG_IPSEC_IPCOMP 1 +#endif + +#ifndef CONFIG_IPSEC_IPIP +#define CONFIG_IPSEC_IPIP 1 +#endif + +#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5 +#define CONFIG_IPSEC_AUTH_HMAC_MD5 1 +#endif + +#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1 +#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1 +#endif + +#ifndef CONFIG_IPSEC_DYNDEV +#define CONFIG_IPSEC_DYNDEV 1 +#endif + +#ifndef CONFIG_IPSEC_ENC_3DES +#define CONFIG_IPSEC_ENC_3DES 1 +#endif + +#ifndef CONFIG_IPSEC_ENC_AES +#define CONFIG_IPSEC_ENC_AES 1 +#endif + +#ifndef CONFIG_IPSEC_REGRESS +#define CONFIG_IPSEC_REGRESS 0 +#endif + +#ifndef CONFIG_IPSEC_NAT_TRAVERSAL +#define CONFIG_IPSEC_NAT_TRAVERSAL 1 +#endif + +#ifndef CONFIG_IPSEC_ALG +#define CONFIG_IPSEC_ALG 1 +#endif +#ifndef CONFIG_IPSEC_ALG_AES +#define CONFIG_IPSEC_ALG_AES 1 +#endif +#ifndef CONFIG_IPSEC_ALG_TWOFISH +#define CONFIG_IPSEC_ALG_TWOFISH 1 +#endif +#ifndef CONFIG_IPSEC_ALG_BLOWFISH +#define CONFIG_IPSEC_ALG_BLOWFISH 1 +#endif +#ifndef CONFIG_IPSEC_ALG_SERPENT +#define CONFIG_IPSEC_ALG_SERPENT 1 +#endif +#ifndef CONFIG_IPSEC_ALG_3DES +#define CONFIG_IPSEC_ALG_3DES 1 +#endif +#ifndef CONFIG_IPSEC_ALG_CAST +#define CONFIG_IPSEC_ALG_CAST 1 +#endif +#ifndef CONFIG_IPSEC_ALG_MD5 +#define CONFIG_IPSEC_ALG_MD5 1 +#endif +#ifndef CONFIG_IPSEC_ALG_NULL +#define CONFIG_IPSEC_ALG_NULL 1 +#endif +#ifndef CONFIG_IPSEC_ALG_SHA1 +#define CONFIG_IPSEC_ALG_SHA1 1 +#endif +#ifndef CONFIG_IPSEC_ALG_SHA2 +#define CONFIG_IPSEC_ALG_SHA2 1 +#endif + +#ifndef CONFIG_IPSEC_ALG_CRYPTOAPI +#define CONFIG_IPSEC_ALG_CRYPTOAPI 1 +#endif +#ifndef CONFIG_IPSEC_ALG_NON_LIBRE +#define CONFIG_IPSEC_ALG_NON_LIBRE 1 +#endif + +#endif /* _CONFIG_ALL_H */ diff --git a/debian/strongswan-modules-source.rules b/debian/strongswan-modules-source.rules new file mode 100755 index 000000000..f31746de1 --- /dev/null +++ b/debian/strongswan-modules-source.rules @@ -0,0 +1,150 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This is the debhelper compatability version to use. +export DH_COMPAT=4 + +VERS = $(shell sed -ne '1s/.*(\(.*\)).*/\1/p' debian/changelog) + +# KSRC is the location of the kernel source. This is the default value, +# when make-kpkg is used it will supply to real value +KSRC = /usr/src/linux + +# KDREV is the package-revision, as given to make-kpkg by the user. +# Just put a simply default value in here which we use when we test +# the packagebuilding without make-kpkg +KDREV = "Custom.1.00" + +# Separate the epoch from the normal revision number in KDREV +# for use with dh_gencontrol +KDREV_EPOCH = $(shell echo $(KDREV) | sed -ne '1s/\([^:]*:\)\?\(.*\)/\1/p') +KDREV_REV = $(shell echo $(KDREV) | sed -ne '1s/\([^:]*:\)\?\(.*\)/\2/p') + +# Now we need to get the kernel-version somehow +KVERS=`sed -n -e '/UTS_RELEASE/s/^[^"]*"\([^"]*\)".*$$/\1/p' $(KSRC)/include/linux/version.h` + +SED_SCRIPT=s!\$$KVERS!$(KVERS)!g; \ + s!\$$KSRC!$(KSRC)!; \ + s!\$$KEMAIL!$(KEMAIL)!; \ + s!\$$KMAINT!$(KMAINT)!; \ + s!\$$KDREV!$(KDREV)!; \ + s!\$$DEBDATE!$(shell date +"%a, %d %b %Y %H:%M:%S %z")! + +ifeq ($(DEB_DEST),) +DEB_DEST=$(KSRC)/.. +endif + +# Clear root command if already root +ifeq ($(shell id -u),0) +ROOT_CMD= +endif + +# this primarily sets ARCH, we may be able to do that in another way +# but it also defines IPSECVERSION, which is needed below +include Makefile.inc + +debian/control: debian/control.in + sed -e "$(SED_SCRIPT)" debian/control.in > $@ + +.PHONY: debian/control + + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + +build: debian/control configure-stamp build-stamp +build-stamp: + dh_testdir + + $(MAKE) module KERNELSRC=${KSRC} OPENSWANSRCDIR=$(CURDIR) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + $(MAKE) modclean KERNELSRC=${KSRC} OPENSWANSRCDIR=$(CURDIR) + + dh_clean + + rm -f debian/control + +MODDESTDIR=$(CURDIR)/debian/openswan-modules-$(KVERS)/lib/modules/$(KVERS)/kernel/net/ipsec +install: +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + mkdir -p $(MODDESTDIR) + if [ -d modobj ]; then \ + cp modobj/ipsec.o $(MODDESTDIR); \ + cp modobj/ipsec_alg_*.o $(MODDESTDIR); \ + else \ + cp modobj26/ipsec.ko $(MODDESTDIR); \ + fi + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot +# dh_installdebconf + dh_installdocs + dh_installexamples + dh_installmenu +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit + dh_installmodules + dh_installcron + dh_installman + dh_installinfo +# dh_undocumented + dh_installchangelogs + dh_link + dh_strip + dh_compress + dh_fixperms +# dh_makeshlibs + dh_installdeb +# dh_perl + dh_shlibdeps + dh_gencontrol -- -v$(KDREV_EPOCH)$(VERS)+$(KDREV_REV) + dh_md5sums + dh_builddeb --destdir=$(DEB_DEST) + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure + +binary-modules: binary + + +kdist_image: + $(ROOT_CMD) $(MAKE) -f debian/rules binary-modules + $(ROOT_CMD) $(MAKE) -f debian/rules clean +kdist_clean: debian/control clean +kdist: + $(ROOT_CMD) $(MAKE) -f debian/rules binary-modules +kdist_configure: configure-stamp + + +.PHONY: binary-modules kdist_image + diff --git a/debian/strongswan.config b/debian/strongswan.config new file mode 100644 index 000000000..e779a2ab1 --- /dev/null +++ b/debian/strongswan.config @@ -0,0 +1,57 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +db_input medium openswan/start_level || true + +db_input medium openswan/restart || true + +db_input high openswan/enable-oe || true + +db_input high openswan/create_rsa_key || true +db_go || true + +db_get openswan/create_rsa_key +if [ "$RET" = "true" ]; then + db_input high openswan/rsa_key_type || true + db_go || true + + db_get openswan/rsa_key_type + if [ "$RET" = "plain" ]; then + # create just a plain RSA keypair + db_input medium openswan/rsa_key_length || true + db_go || true + else + # extract the RSA keypair from a x509 certificate + db_input high openswan/existing_x509_certificate || true + db_go || true + + # create a new certificate + db_input medium openswan/rsa_key_length || true + db_input high openswan/x509_self_signed || true + # we can't allow the country code to be empty - openssl will + # refuse to create a certificate this way + countrycode="" + while [ -z "$countrycode" ]; do + db_input medium openswan/x509_country_code || true + db_go || true + db_get openswan/x509_country_code + countrycode="$RET" + done + db_input medium openswan/x509_state_name || true + db_input medium openswan/x509_locality_name || true + db_input medium openswan/x509_organization_name || true + db_input medium openswan/x509_organizational_unit || true + db_input medium openswan/x509_common_name || true + db_input medium openswan/x509_email_address || true + db_go || true + fi +else + db_get openswan/existing_x509_certificate + if [ "$RET" = "true" ]; then + # existing certificate - use it + db_input critical openswan/existing_x509_certificate_filename || true + db_input critical openswan/existing_x509_key_filename || true + db_go || true + fi +fi diff --git a/debian/strongswan.dirs b/debian/strongswan.dirs new file mode 100644 index 000000000..778085209 --- /dev/null +++ b/debian/strongswan.dirs @@ -0,0 +1,15 @@ +/etc +/etc/ipsec.d +/etc/ipsec.d/cacerts +/etc/ipsec.d/ocspcerts +/etc/ipsec.d/crls +/etc/ipsec.d/private +/etc/ipsec.d/policies +/etc/init.d +/etc/logcheck/ignore.d.paranoid +/etc/logcheck/ignore.d.server +/etc/logcheck/ignore.d.workstation +/etc/logcheck/violations.ignore.d +/usr/bin +/usr/sbin +/var/lock/subsys diff --git a/debian/strongswan.docs b/debian/strongswan.docs new file mode 100644 index 000000000..e206d4729 --- /dev/null +++ b/debian/strongswan.docs @@ -0,0 +1,5 @@ +BUGS +README +CREDITS +doc/ +docs/ diff --git a/debian/strongswan.postinst b/debian/strongswan.postinst new file mode 100644 index 000000000..7d9b19b4b --- /dev/null +++ b/debian/strongswan.postinst @@ -0,0 +1,258 @@ +#! /bin/bash +# postinst script for openswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +insert_private_key() { + cat <> /etc/ipsec.secrets +: RSA { +$1 + } +EOF +} + +insert_private_key_filename() { + if ! grep -q ": RSA $1" /etc/ipsec.secrets; then + echo ": RSA $1" >> /etc/ipsec.secrets + fi +} + +IPSEC_SECRETS_PATTERN_1=': RSA {' +IPSEC_SECRETS_PATTERN_2=' # yyy' +IPSEC_SECRETS_PATTERN_3=' }' +IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"' + +# remove old, misguided attempts at a default ipsec.secrets files +repair_legacy_secrets() { + if grep -A 2 "$IPSEC_SECRETS_PATTERN_1" /etc/ipsec.secrets | + tail --lines=2 | + grep -A 1 "$IPSEC_SECRETS_PATTERN_2" | + tail --lines=1 | + grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then + echo "Old default config file detected, removing the old defaults now." + umask 077 ; ( + # this is ugly, and someone maybe can formulate this in sed, but + # this was the quickest way for me + line=`grep -n "$IPSEC_SECRETS_PATTERN_2" /etc/ipsec.secrets | cut -d':' -f1` + until=`expr $line - 1` + head -n $until /etc/ipsec.secrets + sum=`wc -l /etc/ipsec.secrets | cut -d ' ' -f1` + from=`expr $sum - $line -1` + tail -n $from /etc/ipsec.secrets + ) > /etc/ipsec.secrets.tmp + mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets + grep -v "$IPSEC_SECRETS_PATTERN_4" /etc/ipsec.secrets > /etc/ipsec.secrets.tmp + mv /etc/ipsec.secrets.tmp /etc/ipsec.secrets + fi +} + +make_x509_cert() { + if [ $# -ne 12 ]; then + echo "Error in creating X.509 certificate" + exit 1 + fi + + case $5 in + false) + certreq=$4.req + selfsigned="" + ;; + true) + certreq=$4 + selfsigned="-x509" + ;; + *) + echo "Error in creating X.509 certificate" + exit 1 + ;; + esac + + echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \ + /usr/bin/openssl req -new -outform PEM -out $certreq \ + -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \ + -days $2 $selfsigned >/dev/null +} + +. /usr/share/debconf/confmodule + +case "$1" in + configure) + db_get openswan/create_rsa_key + if [ "$RET" = "true" ]; then + repair_legacy_secrets + # OK, ipsec.secrets should now be correct + db_get openswan/rsa_key_type + if [ "$RET" = "plain" ]; then + # a RSA keypair should be created - check if there is one already + if egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then + echo "Warning: there is already a RSA key in /etc/ipsec.secrets." + echo "Creating an additional one." + fi + # create a plain openswan keypair + db_get openswan/rsa_key_length + umask 077 + keylength=$RET + privkey=`mktemp /tmp/ipsec-postinst.XXXXXX` + /usr/lib/ipsec/rsasigkey $keylength > $privkey + insert_private_key "`cat $privkey`" + rm $privkey + echo "Successfully created a plain openswan RSA keypair." + else + # extract the key from a (newly created) x509 certificate + host=`hostname` + newkeyfile="/etc/ipsec.d/private/${host}Key.pem" + newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" + if [ -e $newcertfile -o -e $newkeyfile ]; then + echo "Error: $newcertfile or $newkeyfile already exists." + echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + else + # create a new certificate + db_get openswan/rsa_key_length + keylength=$RET + db_get openswan/x509_self_signed + selfsigned=$RET + db_get openswan/x509_country_code + countrycode=$RET + if [ -z "$countrycode" ]; then countrycode="."; fi + db_get openswan/x509_state_name + statename=$RET + if [ -z "$statename" ]; then statename="."; fi + db_get openswan/x509_locality_name + localityname=$RET + if [ -z "$localityname" ]; then localityname="."; fi + db_get openswan/x509_organization_name + orgname=$RET + if [ -z "$orgname" ]; then orgname="."; fi + db_get openswan/x509_organizational_unit + orgunit=$RET + if [ -z "$orgunit" ]; then orgunit="."; fi + db_get openswan/x509_common_name + commonname=$RET + if [ -z "$commonname" ]; then commonname="."; fi + db_get openswan/x509_email_address + email=$RET + if [ -z "$email" ]; then email="."; fi + make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" + chmod 0600 "$newkeyfile" + umask 077 + insert_private_key_filename "$newkeyfile" + echo "Successfully created x509 certificate." + fi + fi + else + db_get openswan/existing_x509_certificate + if [ "$RET" = "true" ]; then + if [ -e $newcertfile -o -e $newkeyfile ]; then + echo "Error: $newcertfile or $newkeyfile already exists." + echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + else + # existing certificate - use it + db_get openswan/existing_x509_certificate_filename + certfile=$RET + db_get openswan/existing_x509_key_filename + keyfile=$RET + if [ ! -r $certfile ] || [ ! -r $keyfile ]; then + echo "Either the certificate or the key file could not be read !" + else + cp "$certfile" /etc/ipsec.d/certs + umask 077 + cp "$keyfile" "/etc/ipsec.d/private" + newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" + chmod 0600 "$newkeyfile" + insert_private_key_filename "$newkeyfile" + echo "Successfully extracted RSA key from existing x509 certificate." + fi + fi + fi + fi + + # figure out the correct start time + db_get openswan/start_level + if [ "$RET" = "earliest" ]; then + LEVELS="start 41 S . stop 34 0 6 ." + elif [ "$RET" = "after NFS" ]; then + LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ." + else + LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ." + fi + update-rc.d ipsec $LEVELS > /dev/null + + db_get openswan/enable-oe + if [ "$RET" != "true" ]; then + echo -n "Disabling opportunistic encryption (OE) in config file ... " + if egrep -q "^include /etc/ipsec.d/examples/no_oe.conf$" /etc/ipsec.conf; then + echo "already disabled" + else + cat <> /etc/ipsec.conf +#Disable Opportunistic Encryption +include /etc/ipsec.d/examples/no_oe.conf +EOF + echo "done" + fi + else + echo -n "Enabling opportunistic encryption (OE) in config file ... " + if egrep -q "^include /etc/ipsec.d/examples/no_oe.conf$" /etc/ipsec.conf; then + sed 's/include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/no_oe.conf/' < /etc/ipsec.conf > /etc/ipsec.conf.tmp + mv /etc/ipsec.conf.tmp /etc/ipsec.conf + echo "done" + else + echo "already enabled" + fi + fi + + if [ -z "$2" ]; then + # no old configured version - start openswan now + invoke-rc.d ipsec start || true + else + # does the user wish openswan to restart? + db_get openswan/restart + if [ "$RET" = "true" ]; then + invoke-rc.d ipsec restart || true # sure, we'll restart it for you + fi + fi + + db_stop + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument '$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically + +#DEBHELPER# + +exit 0 diff --git a/debian/strongswan.postrm b/debian/strongswan.postrm new file mode 100644 index 000000000..f5aa182f1 --- /dev/null +++ b/debian/strongswan.postrm @@ -0,0 +1,42 @@ +#! /bin/sh +# postrm script for openswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see /usr/share/doc/packaging-manual/ + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + # update the menu system +# if [ -x /usr/bin/update-menus ]; then update-menus; fi + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 + +esac + +if [ "$1" = "purge" ] ; then + update-rc.d ipsec remove >/dev/null +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + + diff --git a/debian/strongswan.prerm b/debian/strongswan.prerm new file mode 100644 index 000000000..de804d5cb --- /dev/null +++ b/debian/strongswan.prerm @@ -0,0 +1,40 @@ +#! /bin/sh +# prerm script for openswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `upgrade' +# * `failed-upgrade' +# * `remove' `in-favour' +# * `deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ + +case "$1" in + upgrade) + ;; + remove|deconfigure) + /etc/init.d/ipsec stop || true +# install-info --quiet --remove /usr/info/openswan.info.gz + ;; + failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/debian/strongswan.templates b/debian/strongswan.templates new file mode 100644 index 000000000..6f75e1ef4 --- /dev/null +++ b/debian/strongswan.templates @@ -0,0 +1,633 @@ +Template: openswan/start_level +Type: select +Choices: earliest, "after NFS", "after PCMCIA" +Choices-fr: Le plus tôt possible, Après NFS, Après PCMCIA +Choices-ja: ²Äǽ¤Ê¸Â¤êÁ᤯, "NFS µ¯Æ°¸å", "PCMCIA µ¯Æ°¸å" +Choices-pt_BR: o quando antes, "depois do NFS", "depois do PCMCIA" +Default: earliest +Description: At which level do you wish to start Openswan ? + With the current Debian startup levels (nearly everything starting in + level 20), it is impossible for Openswan to always start at the correct + time. There are three possibilities when Openswan can start: before or + after the NFS services and after the PCMCIA services. The correct answer + depends on your specific setup. + . + If you do not have your /usr tree mounted via NFS (either you only mount + other, less vital trees via NFS or don't use NFS mounted trees at all) and + don't use a PCMCIA network card, then it is the best to start Openswan at + the earliest possible time, thus allowing the NFS mounts to be secured by + IPSec. In this case (or if you don't understand or care about this + issue), answer "earliest" to this question (the default). + . + If you have your /usr tree mounted via NFS and don't use a PCMCIA network + card, then you will need to start Openswan after NFS so that all + necessary files are available. In this case, answer "after NFS" to this + question. Please note that the NFS mount of /usr can not be secured by + IPSec in this case. + . + If you use a PCMCIA network card for your IPSec connections, then you only + have to choice to start it after the PCMCIA services. Answer "after + PCMCIA" in this case. This is also the correct answer if you want to fetch + keys from a locally running DNS server with DNSSec support. +Description-fr: Étape de lancement d'Openswan : + Avec les niveaux de démarrage actuellement utilisés par Debian (presque + tout démarre au niveau 20), il est impossible de faire en sorte + qu'Openswan démarre toujours au moment approprié. Il existe trois moments + où il est opportun de le démarrer : avant ou après les services NFS ou + après les services PCMCIA. La réponse appropriée dépend de vos réglages + spécifiques. + . + Si votre arborescence /usr n'est pas un montage NFS (soit parce que vos + montages NFS sont à d'autres endroits, moins critiques, soit parce que + vous n'utilisez pas du tout de montage NFS) et si vous n'utilisez pas de + carte réseau PCMCIA, il est préférable de démarrer Openswan le plus tôt + possible, ce qui permettra de sécuriser les montages NFS avec IPSec. Dans + ce cas (ou bien si vous ne comprenez pas l'objet de la question ou qu'elle + ne vous concerne pas), choisissez « le plus tôt possible », qui est le + choix par défaut. + . + Si /usr est un montage NFS et que vous n'utilisez pas de carte réseau + PCMCIA, vous devrez alors démarrer Openswan après les services NFS afin + que tous les fichiers nécessaires soient disponibles. Dans ce cas, + choisissez « après NFS ». Veuillez noter que le montage NFS de /usr n'est + alors pas sécurisé par IPSec. + . + Si vous utilisez une carte PCMCIA pour vos connexions IPSec, votre seul + choix possible est le démarrage après les services PCMCIA. Choisissez + alors « après PCMCIA ». Faites également ce choix si vous souhaitez + récupérer les clés d'authentification sur un serveur DNS reconnaissant + DNSSec. +Description-ja: ¤É¤ÎÃʳ¬¤Ç Openswan ¤òµ¯Æ°¤µ¤»¤Þ¤¹¤«? + ¸½ºß¤Î Debian ¤Ç¤Îµ¯Æ°¥ì¥Ù¥ë (¤Û¤È¤ó¤ÉÁ´¤Æ¤¬¥ì¥Ù¥ë20) ¤Î¤Þ¤Þ¤Ç¤Ï¡¢Openswan + ¤ò¾ï¤Ë¤ÏŬÀڤʥ¿¥¤¥ß¥ó¥°¤Çµ¯Æ°¤Ç¤­¤Þ¤»¤ó¡£Openswan + ¤òµ¯Æ°¤µ¤»¤ë¥¿¥¤¥ß¥ó¥°¤ÎÁªÂò»è¤È¤·¤Æ¤Ï3¤Ä¤¬¹Í¤¨¤é¤ì¤Þ¤¹: NFS + ¥µ¡¼¥Ó¥¹¤Î³«»ÏÁ°¡¦³«»Ï¸å¡¦PCMCIA + ¥µ¡¼¥Ó¥¹¤Î³«»Ï¸å¤Ç¤¹¡£Àµ²ò¤Ï¤¢¤Ê¤¿¤ÎÀßÄ꼡Âè¤Ç¤¹¡£ + . + NFS ·Ðͳ¤Ç /usr ¤ò¥Þ¥¦¥ó¥È¤»¤º + (¾¤Î¥Ñ¡¼¥Æ¥£¥·¥ç¥ó¤ä¤¢¤Þ¤ê½ÅÍפǤϤʤ¤¥Ñ¡¼¥Æ¥£¥·¥ç¥ó¤ò NFS + ·Ðͳ¤Ç¥Þ¥¦¥ó¥È¤¹¤ë¤«¡¢¤Þ¤¿¤Ï NFS ¥Þ¥¦¥ó¥È¤òÁ´¤¯»È¤ï¤Ê¤¤)¡¢²Ã¤¨¤Æ PCMCIA + ¥Í¥Ã¥È¥ï¡¼¥¯¥«¡¼¥É¤òÍøÍѤ·¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢²Äǽ¤Ê¸Â¤êÁᤤ»þ´Ö¤Ë Openswan + ¤òµ¯Æ°¤¹¤ë¤Î¤¬¥Ù¥¹¥È¤Ç¤¹¡£¤³¤ÎÀßÄê¤Ë¤è¤Ã¤Æ¡¢NFS ¤Ç¤Î¥Þ¥¦¥ó¥È¤Ï IPSec + ¤ÇÊݸ¤ì¤Þ¤¹¡£¤³¤Î¾ì¹ç + (¤Þ¤¿¤Ï¤³¤ÎÌäÂê¤òÍý²ò¤·¤Æ¤¤¤Ê¤¤¤«Æä˵¤¤Ë¤·¤Ê¤¤¾ì¹ç) + ¡¢"²Äǽ¤Ê¸Â¤êÁ᤯"¤È¼ÁÌä¤ËÅú¤¨¤Æ¤¯¤À¤µ¤¤ (ɸ½à) ¡£ + . + NFS ·Ðͳ¤Ç /usr ¤ò¥Þ¥¦¥ó¥È¤·¤Æ¤¤¤Æ PCMCIA + ¥Í¥Ã¥È¥ï¡¼¥¯¥«¡¼¥É¤ò»ÈÍѤ·¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï¡¢É¬Íפʥե¡¥¤¥ë¤òÍøÍѲÄǽ¤Ë¤¹¤ë¤¿¤á¤Ë + Openswan ¤ò NFS ¤Î¸å¤Çµ¯Æ°¤·¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£¤³¤Î¾ì¹ç¡¢"NFS µ¯Æ°¸å" + ¤ÈÅú¤¨¤Æ¤¯¤À¤µ¤¤¡£¤³¤Î»þ¤Ë NFS ·Ðͳ¤Ç¥Þ¥¦¥ó¥È¤µ¤ì¤ë /usr ¤Ï¡¢IPSec + ¤Ë¤è¤ë¥»¥­¥å¥¢¤Ê¾õÂ֤ˤϤʤé¤Ê¤¤¤È¤¤¤¦¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£ + . + IPSec Àܳ¤Ë PCMCIA ¥Í¥Ã¥È¥ï¡¼¥¯¥«¡¼¥É¤òÍøÍѤ·¤Æ¤¤¤¿¾ì¹ç¡¢PCMCIA + ¥µ¡¼¥Ó¥¹¤Îµ¯Æ°¸å¤Ë Openswan + ¤òµ¯Æ°¤¹¤ë°Ê³°¤ËÁªÂò¤Ï¤¢¤ê¤Þ¤»¤ó¡£¤³¤Î¾ì¹ç¡¢"PCMCIA µ¯Æ°¸å" + ¤ÈÅú¤¨¤Æ¤¯¤À¤µ¤¤¡£¥í¡¼¥«¥ë¤ÇÆ°ºî¤·¤Æ¤¤¤ë DNSSec µ¡Ç½¤ò»ÈÍѤ·¤Æ¤¤¤ë DNS + ¥µ¡¼¥Ð¤«¤é¸°¤ò¼èÆÀ¤·¤¿¤¤¾ì¹ç¤Ç¤â¡¢¤³¤ÎÅú¤¨¤ò¤·¤Æ¤¯¤À¤µ¤¤¡£ +Description-pt_BR: Em que nível você deseja iniciar o Openswan ? + Com os níveis de inicialização atuais do Debian (quase todos os serviços + iniciando no nível 20) é impossível para o Openswan sempre iniciar no + momento correto. Existem três possibilidades para quando iniciar o + Openswan : antes ou depois dos serviços NFS e depois dos serviços PCMCIA. + A resposta correta depende se sua configuração específica. + . + Caso você não possua sua àrvore /usr montada via NFS (você somente monta + outras àrvores não vitais via NFS ou não usa àrvores montadas via NFS) e + não use um cartão de rede PCMCIA, a melhor opção é iniciar o Openswan o + quando antes, permitindo dessa forma que os pontos de montagem NFS estejam + protegidos por IPSec. Nesse caso (ou caso você não compreenda ou não se + importe com esse problema), responda "o quando antes" para esta pergunta + (o que é o padrão). + . + Caso você possua sua àrvore /usr montada via NFS e não use um cartão de + rede PCMCIA, você precisará iniciar o Openswan depois do NFS de modo que + todos os arquivos necessários estejam disponíveis. Nesse caso, responda + "depois do NFS" para esta pergunta. Por favor, note que a montagem NFS de + /usr não poderá ser protegida pelo IPSec nesse caso. + . + Caso você use um cartão de rede PCMCIA para suas conexões IPSec você + precisará somente optar por iniciar o Opensan depois dos serviços PCMCIA. + Responda "depois do PCMCIA" nesse caso. Esta é também a maneira correta de + obter chaves de um servidor DNS sendo executado localmente e com suporte a + DNSSec. + +Template: openswan/restart +Type: boolean +Default: true +Description: Do you wish to restart Openswan? + Restarting Openswan is a good idea, since if there is a security fix, it + will not be fixed until the daemon restarts. Most people expect the daemon + to restart, so this is generally a good idea. However this might take down + existing connections and then bring them back up. +Description-fr: Souhaitez-vous redémarrer Openswan ? + Redémarrer Openswan est préférable car un éventuel correctif de sécurité + ne prendra place que si le démon est redémarré. La plupart des + utilisateurs s'attendent à ce que le démon redémarre et c'est donc le plus + souvent le meilleur choix. Cependant, cela pourrait interrompre + provisoirement des connexions en cours. +Description-ja: Openswan ¤òºÆµ¯Æ°¤·¤Þ¤¹¤«? + ¥»¥­¥å¥ê¥Æ¥£½¤Àµ¤¬¤¢¤Ã¤¿¾ì¹ç¤Ë¤Ï¥Ç¡¼¥â¥ó¤¬ºÆµ¯Æ°¤µ¤ì¤ë¤Þ¤Ç½¤Àµ¤¬È¿±Ç¤µ¤ì¤Þ¤»¤ó¡£¤½¤Î¤¿¤á¡¢Openswan + ¤òºÆµ¯Æ°¤¹¤ë¤Î¤ÏÎɤ¤¹Í¤¨¤Ç¤¹¡£¤Û¤È¤ó¤É¤Î¿Í¤Ï¥Ç¡¼¥â¥ó¤òºÆµ¯Æ°¤·¤è¤¦¤È¤·¤Þ¤¹¤¬¡¢¤³¤ì¤ÏÂçÄñÌäÂꤢ¤ê¤Þ¤»¤ó¡£¤·¤«¤·¡¢¤³¤Îºî¶È¤Ç¸½ºß¤ÎÀܳ¤ÏÀÚÃǤµ¤ì¡¢ºÆÅÙ·Ò¤®¤Ê¤ª¤¹¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£ +Description-pt_BR: Você deseja reiniciar o Openswan ? + Reiniciar o Openswan é uma boa idéia, uma vez que caso exista um correção + para uma falha de segurança, o mesmo não será corrigido até que o daemon + seja reiniciado. A maioria das pessoas esperam que o daemon seja + reiniciado, portanto essa é geralmente uma boa idéia. Porém, reiniciar o + Openswan pode derrubar conexões existentes, mas posteriormente trazê-las + de volta. + +Template: openswan/create_rsa_key +Type: boolean +Default: true +Description: Do you want to create a RSA public/private keypair for this host ? + This installer can automatically create a RSA public/private keypair for + this host. This keypair can be used to authenticate IPSec connections to + other hosts and is the preferred way for building up secure IPSec + connections. The other possibility would be to use shared secrets + (passwords that are the same on both sides of the tunnel) for + authenticating an connection, but for a larger number of connections RSA + authentication is easier to administrate and more secure. +Description-fr: Souhaitez-vous créer une paire de clés RSA publique et privée pour cet hôte ? + Cet outil d'installation peut créer automatiquement une paire de clés RSA + publique et privée pour cet hôte. Cette paire de clés peut servir à + authentifier des connexions IPSec vers d'autres hôtes. Cette méthode est + la méthode conseillée pour l'établissement de liaisons IPSec sûres. + L'autre possibilité d'authentification à la connexion est l'utilisation + d'un secret partagé (« pre-shared key » : des mots de passe identiques aux + deux extrémités du tunnel). Toutefois, pour de nombreuses connexions, + l'authentification RSA est plus simple à administrer et plus sûre. +Description-ja: ¤³¤Î¥Û¥¹¥È¤Î RSA ¸ø³«¸°¤ÈÈëÌ©¸°¤Î¥­¡¼¥Ú¥¢¤òÀ¸À®¤·¤Þ¤¹¤«? + ¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ï¤³¤Î¥Û¥¹¥È¤Î RSA + ¸ø³«¸°¤ÈÈëÌ©¸°¤Î¥­¡¼¥Ú¥¢¤ò¼«Æ°Åª¤ËÀ¸À®¤Ç¤­¤Þ¤¹¡£¤³¤Î¥­¡¼¥Ú¥¢¤Ï¾¤Î¥Û¥¹¥È¤È¤Î + IPSec ÄÌ¿®¤Ç¤Îǧ¾Ú¤ËÍøÍѲÄǽ¤Ç¡¢¥»¥­¥å¥¢¤Ê IPSec + ÄÌ¿®¤ò³ÎΩ¤¹¤ëÊýË¡¤È¤·¤Æ¹¥¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£Â¾¤ËÍøÍѲÄǽ¤ÊÊýË¡¤È¤·¤Æ¤Ï¶¦Ä̸° + (¥È¥ó¥Í¥ë¤ÎÁÐÊý¤ÇƱ¤¸¥Ñ¥¹¥ï¡¼¥É) + ¤òÄÌ¿®¤Îǧ¾Ú¤ËÍøÍѤ¹¤ë¤È¤¤¤¦¤Î¤¬¤¢¤ê¤Þ¤¹¤¬¡¢Â¿¿ô¤ÎÀܳ¤ËÂФ·¤Æ¤Ï¡¢RSA + ǧ¾Ú¤Î¤Û¤¦¤¬´ÉÍý¤¬¤è¤ê´Êñ¤Ç¡¢¤è¤ê¥»¥­¥å¥¢¤Ç¤¹¡£ +Description-pt_BR: Você deseja criar um par de chaves RSA pública/privada para este host ? + Este instalador pode automaticamente criar um par de chaves RSA + pública/privada para este host. Esse par de chaves pode ser usado para + autenticar conexões IPSec com outros hosts e é a maneira preferida de + construir conexões IPSec seguras. A outra possibilidade seria usar + segredos compartilhados (senhas que são iguais em ambos os lados do túnel) + para autenticar uma conexão, mas para um grande número de conexões RSA a + autenticação é mais fácil de administrar e mais segura. + +Template: openswan/rsa_key_type +Type: select +Choices: x509, plain +Choices-fr: X509, simple paire +Choices-ja: x509, Ä̾ï¤Î¥¿¥¤¥× +Choices-pt_BR: x509, pura +Default: x509 +Description: Which type of RSA keypair do you want to create ? + It is possible to create a plain RSA public/private keypair for the use + with Openswan or to create a X509 certificate file which contains the RSA + public key and additionally store the corresponding private key. + . + If you only want to build up IPSec connections to hosts also running + Openswan, it might be a bit easier using plain RSA keypairs. But if you + want to connect to other IPSec implementations, you will need a X509 + certificate. It is also possible to create a X509 certificate here and + extract the RSA public key in plain format if the other side runs + Openswan without X509 certificate support. + . + Therefore a X509 certificate is recommended since it is more flexible and + this installer should be able to hide the complex creation of the X509 + certificate and its use in Openswan anyway. +Description-fr: Type de paire de clés RSA à créer : + Il est possible de créer une simple paire de clés destinée à être utilisée + avec Openswan ou de créer un fichier de certificat X509 qui contient la + clé publique RSA et de conserver la clé privée correspondante par + ailleurs. + . + Si vous ne prévoyez d'établir des connexions IPSec qu'avec des hôtes + utilisant Openswan, il sera probablement plus facile d'utiliser des clés + RSA simples. Mais si vous souhaitez vous connecter à des hôtes utilisant + d'autres implémentations d'IPSec, vous aurez besoin d'un certificat X509. + Il est également possible de créer un certificat X509 puis d'en extraire + un simple clé publique RSA, si l'autre extrémité de la connexion utilise + Openswan sans le support des certificats X509. + . + En conséquence, il vous est conseillé d'utiliser un certificat X509 car + cette méthode est plus souple. Cet outil d'installation devrait vous + simplifier la tâche de création et d'utilisation de ce certificat X509. +Description-ja: ¤É¤Á¤é¤Î¥¿¥¤¥×¤Î RSA ¥­¡¼¥Ú¥¢¤òÀ¸À®¤·¤Þ¤¹¤«? + Openswan ¤ÇÍøÍѤ¹¤ëÄ̾ï¤Î RSA ¸ø³«¸°¡¦ÈëÌ©¸°¤Î¥­¡¼¥Ú¥¢¤òºî¤ì¤Þ¤¹¡£¤¢¤ë¤¤¤Ï + RSA ¸ø³«¸°¤ò (¤µ¤é¤Ë¤Ï¤½¤ì¤ËÂбþ¤¹¤ëÈëÌ©¸°¤â) ´Þ¤à X509 + ¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë¤âƱÍͤǤ¹¡£ + . + ´û¤Ë Openswan ¤òÆ°ºî¤µ¤»¤Æ¤¤¤ë¥Û¥¹¥È¤È IPSec + ÄÌ¿®¤ò³ÎΩ¤·¤¿¤¤¤À¤±¤Î¾ì¹ç¤Ï¡¢Ä̾ï¤Î RSA + ¥­¡¼¥Ú¥¢¤ò»ÈÍѤ¹¤ë¤È¿¾¯´Êñ¤Ë¤Ê¤ê¤Þ¤¹¡£¤·¤«¤·¡¢Â¾¤Î IPSec + ¼ÂÁõ¤È¤ÎÀܳ¤ò¹Ô¤¤¤¿¤¤¾ì¹ç¤Ï X509 + ¾ÚÌÀ½ñ¤¬É¬Íפˤʤê¤Þ¤¹¡£ÄÌ¿®¤ò¹Ô¤¦ÂоݤΥۥ¹¥È¤¬ Openswan ¤ò X509 + ¾ÚÌÀ½ñ¤Î¥µ¥Ý¡¼¥È̵¤·¤Ç±¿ÍѤ·¤Æ¤¤¤¿¾ì¹ç¡¢¤³¤³¤Ç X509 + ¾ÚÌÀ½ñ¤òÀ¸À®¤·¤Æ¡¢¸å¤Û¤É RSA ¸ø³«¸°¤òÄ̾ï¤Î·Á¼°¤ËŸ³«¤¹¤ë¤³¤È¤â²Äǽ¤Ç¤¹¡£ + . + ¤·¤¿¤¬¤Ã¤Æ X509 + ¾ÚÌÀ½ñ¤¬¤ª´«¤á¤Ç¤¹¡£¤³¤Á¤é¤Î¤Û¤¦¤¬½ÀÆð¤Ç¤¹¤·¡¢¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤ò»È¤¨¤Ð¡¢X509 + ¾ÚÌÀ½ñ¤ÎÀ¸À®¤ä Openswan ¤Ç¤ÎÍøÍѤ˺ݤ·¤Æ¤ÎÌÌÅݤµ¤ò±£Ê䷤Ƥ¯¤ì¤ë¤Ï¤º¤Ç¤¹¡£ +Description-pt_BR: Qual tipo de par de chaves RSA você deseja criar ? + É possível criar um par de chaves RSA pública/privada pura (plain) para + uso com o Openswan ou para criar um arquivo de certificado X509 que irá + conter a chave RSA pública e adicionalmente armazenar a chave privada + correspondente. + . + Caso você queira somente construir conexões IPsec para hosts e também + executar o Openswan, pode ser um pouco mais fácil usar pares de chaves RSA + puros (plain). Mas caso você queira se conectar a outras implementações + IPSec, você precisará de um certificado X509. É também possível criar um + certificado X509 aqui e extrair a chave pública em formato puro (plain) + caso o outro lado execute o Openswan sem suporte a certificados X509. + . + Um certificado X509 é recomendado, uma vez que o mesmo é mais flexível e + este instalador é capaz de simplificar a complexa criação do certificado + X509 e seu uso com o Openswan. + +Template: openswan/existing_x509_certificate +Type: boolean +Default: false +Description: Do you have an existing X509 certificate file that you want to use for Openswan ? + This installer can automatically extract the needed information from an + existing X509 certificate with a matching RSA private key. Both parts can + be in one file, if it is in PEM format. Do you have such an existing + certificate and key file and want to use it for authenticating IPSec + connections ? +Description-fr: Possédez-vous un fichier de certificat X509 existant àutiliser avec Openswan ? + Cet outil d'installation est capable d'extraire automatiquement + l'information nécessaire d'un fichier de certificat X509 existant, avec la + clé privée RSA correspondante. Les deux parties peuvent se trouver dans un + seul fichier, s'il est en format PEM. Possédez-vous un tel certificat + ainsi que la clé privée, et souhaitez-vous vous en servir pour + l'authentification des connexions IPSec ? +Description-ja: ´û¤Ë¸ºß¤·¤Æ¤¤¤ë X509 ¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë¤ò Openswan ¤ÇÍøÍѤ·¤Þ¤¹¤«? + ¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ï´û¤Ë¸ºß¤·¤Æ¤¤¤ë X509 ¾ÚÌÀ½ñ¤«¤é RSA + ÈëÌ©¸°¤È¾È¤é¤·¹ç¤ï¤»¤ÆɬÍפʾðÊó¤ò¼«Æ°Åª¤ËŸ³«¤¹¤ë»ö¤¬²Äǽ¤Ç¤¹¡£ PEM + ·Á¼°¤Î¾ì¹ç¡¢ÁÐÊý¤ò°ì¤Ä¤Î¥Õ¥¡¥¤¥ë¤Ë¤Þ¤È¤á¤ë¤³¤È¤â²Äǽ¤Ç¤¹¡£¤½¤Î¤è¤¦¤Ê¾ÚÌÀ½ñ¤È¸°¤Î¥Õ¥¡¥¤¥ë¤¬¤¢¤ê¡¢¤³¤ì¤é¤ò + IPSec ÄÌ¿®¤Ç¤Îǧ¾Ú¤Ë»ÈÍѤ·¤¿¤¤¤Ç¤¹¤«? +Description-pt_BR: Você possui um arquivo de certificado X509 existente que você gostaria de usar com o Openswan ? + Este instalador pode extrair automaticamente a informação necessária de um + certificado X509 existente com uma chave RSA privada adequada. Ambas as + partes podem estar em um arquivo, caso estejam no formato PEM. Você possui + um certificado existente e um arquivo de chave e quer usá-los para + autenticar conexões IPSec ? + +Template: openswan/existing_x509_certificate_filename +Type: string +Description: Please enter the location of your X509 certificate in PEM format. + Please enter the location of the file containing your X509 certificate in + PEM format. +Description-fr: Emplacement de votre certificat X509 au format PEM : + Veuillez indiquer l'emplacement du fichier contenant votre certificat X509 + au format PEM. +Description-ja: PEM ·Á¼°¤Î X509 ¾ÚÌÀ½ñ¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + PEM ·Á¼°¤Î X509 ¾ÚÌÀ½ñ¤ò´Þ¤ó¤Ç¤¤¤ë¥Õ¥¡¥¤¥ë¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ +Description-pt_BR: Por favor, informe a localização de seu certificado X509 no formato PEM. + Por favor, informe a localização do arquivo contendo seu certificado X509 + no formato PEM. + +Template: openswan/existing_x509_key_filename +Type: string +Description: Please enter the location of your X509 private key in PEM format. + Please enter the location of the file containing the private RSA key + matching your X509 certificate in PEM format. This can be the same file + that contains the X509 certificate. +Description-fr: Emplacement de votre clé privée X509 au format PEM : + Veuillez indiquer l'emplacement du fichier contenant la clé privée RSA + correspondant à votre certificat X509 au format PEM. Cela peut être le + fichier qui contient le certificat X509. +Description-ja: PEM ·Á¼°¤Î X509 ÈëÌ©¸°¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + PEM ·Á¼°¤Î X509 + ¾ÚÌÀ½ñ¤ËÂбþ¤¹¤ëÈëÌ©¸°¤ò´Þ¤ó¤Ç¤¤¤ë¥Õ¥¡¥¤¥ë¤Î¾ì½ê¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï + X509 ¾ÚÌÀ½ñ¤ò´Þ¤ó¤Ç¤¤¤ë¥Õ¥¡¥¤¥ë¤ÈƱ¤¸¤Ç¹½¤¤¤Þ¤»¤ó¡£ +Description-pt_BR: Por favor, informe a localização de sua chave privada X509 no formato PEM. + Por favor, informe a localização do arquivo contendo a chave privada RSA + que casa com seu certificado X509 no formato PEM. Este pode ser o mesmo + arquivo que contém o certificado X509. + +Template: openswan/rsa_key_length +Type: string +Default: 2048 +Description: Which length should the created RSA key have ? + Please enter the length of the created RSA key. it should not be less than + 1024 bits because this should be considered unsecure and you will probably + not need anything more than 2048 bits because it only slows the + authentication process down and is not needed at the moment. +Description-fr: Longueur de la clé RSA à créer : + Veuillez indiquer la longueur de la clé RSA qui sera créée. Elle ne doit + pas être inférieure à 1024 bits car cela serait considéré comme + insuffisamment sûr. Un choix excédant 2048 bits est probablement inutile + car cela ne fait essentiellement que ralentir le processus + d'authentification sans avoir d'intérêt actuellement. +Description-ja: RSA ¸°¤ò¤É¤ÎŤµ¤ÇÀ¸À®¤·¤Þ¤¹¤«? + À¸À®¤¹¤ë RSA ¸°¤ÎŤµ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£°ÂÁ´¤Î¤¿¤á¡¢1024 + ¥Ó¥Ã¥È°Ê²¼¤Ë¤¹¤Ù¤­¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£2048 + ¥Ó¥Ã¥È°Ê¾å¤Ë¤¹¤ëɬÍפâ¤Ê¤¤¤Ç¤·¤ç¤¦¡£Ç§¾Ú¥×¥í¥»¥¹¤¬ÃÙ¤¯¤Ê¤ê¤Þ¤¹¤·¡¢¸½»þÅÀ¤Ç¤Ï¤ª¤½¤é¤¯É¬Íפ¢¤ê¤Þ¤»¤ó¡£ +Description-pt_BR: Qual deve ser o tamanho da chave RSA criada ? + Por favor, informe o tamanho da chave RSA a ser criada. A mesma não deve + ser menor que 1024 bits devido a uma chave de tamanho menor que esse ser + considerada insegura. Você também não precisará de nada maior que 2048 + porque isso somente deixaria o processo de autenticação mais lento e não + seria necessário no momento. + +Template: openswan/x509_self_signed +Type: boolean +Default: true +Description: Do you want to create a self-signed X509 certificate ? + This installer can only create self-signed X509 certificates + automatically, because otherwise a certificate authority is needed to sign + the certificate request. If you want to create a self-signed certificate, + you can use it immediately to connect to other IPSec hosts that support + X509 certificate for authentication of IPSec connections. However, if you + want to use the new PKI features of Openswan >= 1.91, you will need to + have all X509 certificates signed by a single certificate authority to + create a trust path. + . + If you do not want to create a self-signed certificate, then this + installer will only create the RSA private key and the certificate request + and you will have to sign the certificate request with your certificate + authority. +Description-fr: Souhaitez-vous créer un certificat X509 auto-signé ? + Cet outil d'installation ne peut créer automatiquement qu'un certificat + X509 auto-signé puisqu'une autorité de certification est indispensable + pour signer la demande de certificat. Si vous choisissez de créer un + certificat auto-signé, vous pourrez vous en servir immédiatement pour vous + connecter aux hôtes qui authentifient les connexions IPSec avec des + certificats X509. Cependant, si vous souhaitez utiliser les nouvelles + fonctionnalités PKI de Openswan >= 1.91, vous aurez besoin que tous les + certificats X509 soient signés par la même autorité de certification afin + de créer un chemin de confiance. + . + Si vous ne voulez pas créer de certificat auto-signé, cet outil + d'installation ne fera que créer la clé privée RSA et la demande de + certificat, que vous devrez ensuite signer avec votre autorité de + certification. +Description-ja: ¼«¸Ê½ð̾ X509 ¾ÚÌÀ½ñ¤òÀ¸À®¤·¤Þ¤¹¤«? + ¾ÚÌÀ½ñÍ×µá¤Ë½ð̾¤¹¤ë¤¿¤á¤Ë¤Ïǧ¾Ú¶É¤¬É¬ÍפȤʤë¤Î¤Ç¡¢¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ç¤Ï¼«¸Ê½ð̾ + X509 + ¾ÚÌÀ½ñ¤ò¼«Æ°Åª¤ËÀ¸À®¤¹¤ë»ö¤À¤±¤¬²Äǽ¤Ç¤¹¡£¼«¸Ê½ð̾¾ÚÌÀ½ñ¤òÀ¸À®¤·¤¿¤¤¾ì¹ç¡¢¤³¤ì¤ò»ÈÍѤ·¤Æ¤¹¤°¤Ë + X509 ¾ÚÌÀ½ñ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¾¤Î IPSec + ¥Û¥¹¥È¤ËÀܳ²Äǽ¤Ç¤¹¡£¤·¤«¤·¡¢Openswan ¥Ð¡¼¥¸¥ç¥ó 1.91 °Ê¾å¤Ç¤Î¿·¤·¤¤ PKI + µ¡Ç½¤ò»È¤¤¤¿¤¤¾ì¹ç¤Ï¡¢trust path + ¤òÀ¸À®¤¹¤ë¤¿¤á¤Ëñ°ì¤Îǧ¾Ú¶É¤Ë¤è¤Ã¤Æ¤¹¤Ù¤Æ¤Î X509 + ¾ÚÌÀ½ñ¤Ë½ð̾¤·¤Æ¤â¤é¤¦É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ + . + ¼«¸Ê½ð̾¾ÚÌÀ½ñ¤òÀ¸À®¤·¤¿¤¯¤Ê¤¤¾ì¹ç¡¢¤³¤Î¥¤¥ó¥¹¥È¡¼¥é¤Ï RSA + ÈëÌ©¸°¤È¾ÚÌÀ½ñÍ×µá¤Î¤ß¤òÀ¸À®¤·¤Þ¤¹¡£¤½¤·¤Æ¡¢Ç§¾Ú¶É¤Ë¾ÚÌÀ½ñÍ×µá¤Ø½ð̾¤ò¤·¤Æ¤â¤é¤¦É¬Íפ¬¤¢¤ê¤Þ¤¹¡£ +Description-pt_BR: Deseja criar um certificado X509 auto-assinado ? + Este instalador pode criar automaticamente somente certificados X509 + auto-assinados, devido a uma autoridade certificadora ser necessária para + assinar a requisição de certificado. Caso você queira criar um certificado + auto-assinado, você poderá usá-lo imediatamente para conexão com outros + hosts IPSec que suportem certificados X509 para autenticação de conexões + IPSec. Porém, caso você queira usar os novos recursos PKI do Openswan + versão 1.91 ou superior, você precisará possuir todos seus certificados + X509 assinados por uma única autoridade certificadora para criar um + caminho de confiança. + . + Caso você não queira criar um certificado auto-assinado, este instalador + irá somente criar a chave privada RSA e a requisição de certificado e você + terá então que assinar a requisição de certificado junto a sua autoridade + certificadora. + +Template: openswan/x509_country_code +Type: string +Default: AT +Description: Please enter the country code for the X509 certificate request. + Please enter the 2 letter country code for your country. This code will be + placed in the certificate request. + . + You really need to enter a valid country code here, because openssl will + refuse to generate certificates without one. An empty field is allowed for + any other field of the X.509 certificate, but not for this one. + . + Example: AT +Description-fr: Code du pays : + Veuillez indiquer le code à deux lettres de votre pays. Ce code sera + inclus dans la demande de certificat. + . + Il est impératif de choisir ici un code de pays valide sinon OpenSSL + refusera de générer les certificats. Tous les autres champs d'un + certificat X.509 peuvent être vides, sauf celui-ci. + . + Exemple : FR +Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ë¹ñ¥³¡¼¥É¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + ¤¢¤Ê¤¿¤Î¹ñ¤Î¹ñ¥³¡¼¥É¤ò2ʸ»ú¤ÇÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤Î¥³¡¼¥É¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ + . + openssl + ¤¬¹ñ¥³¡¼¥É¤Ê¤·¤Ç¤Ï¾ÚÌÀ½ñ¤ÎÀ¸À®¤òµñÈݤ¹¤ë¤Î¤Ç¡¢Àµ¤·¤¤¹ñ¥³¡¼¥É¤ò¤³¤³¤ÇÆþÎϤ¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£X.509 + ¾ÚÌÀ½ñ¤Ç¤Ï¡¢Â¾¤Î¥Õ¥£¡¼¥ë¥É¤Ë¤Ä¤¤¤Æ¤Ï¶õ¤Ç¤â¹½¤¤¤Þ¤»¤ó¤¬¡¢¤³¤ì¤Ë¤Ä¤¤¤Æ¤Ïµö²Ä¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£ + . + Îã: JP +Description-pt_BR: Por favor, informe o código de país para a requisição de certificado X509. + Por favor, informe o códifo de país de duas letras para seu país. Esse + código será inserido na requisição de certificado. + . + Você realmente precisa informar um código de país válido aqui devido ao + openssl se recusar a gerar certificados sem um código de país válido. Um + campo em branco é permitido para qualquer outro campo do certificado + X.509, mas não para esse campo. + . + Exemplo: BR + +Template: openswan/x509_state_name +Type: string +Default: +Description: Please enter the state or province name for the X509 certificate request. + Please enter the full name of the state or province you live in. This name + will be placed in the certificate request. + . + Example: Upper Austria +Description-fr: État, province ou région : + Veuillez indiquer le nom complet de l'état, de la province ou de la région + où vous résidez. Ce nom sera inclus dans la demande de certificat. + . + Exemples : Rhône-Alpes, Brabant, Bouches du Rhône, Québec, Canton de Vaud +Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÅÔÆ»Éܸ©Ì¾¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + ¤¢¤Ê¤¿¤¬ºß½»¤·¤Æ¤¤¤ëÅÔÆ»Éܸ©¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ + . + Îã: Tokyo +Description-pt_BR: Por favor, informe o estado ou nome de província para a requisição de certificado X509. + Por favor, informe o nome complete do estado ou província em que você + mora. Esse nome será inserido na requisição de certificado. + . + Exemplo : Sao Paulo + +Template: openswan/x509_locality_name +Type: string +Default: +Description: Please enter the locality name for the X509 certificate request. + Please enter the locality (e.g. city) where you live. This name will be + placed in the certificate request. + . + Example: Vienna +Description-fr: Localité : + Veuillez indiquer la localité (p. ex. la ville) où vous résidez. Ce nom + sera inclus dans la demande de certificat. + . + Exemple : Saint-Étienne +Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÅÚÃϤÎ̾Á°¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + ¤¢¤Ê¤¿¤Îºß½»¤·¤Æ¤¤¤ëÃÏÊý¤Î̾Á° (Îã: »ÔĮ¼̾) + ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ + . + Îã: Shinjuku-ku +Description-pt_BR: Por favor, informe o nome da localidade para a requisição de certificado X509. + Por favor, informe a localidade (ou seja, cidade) onde você mora. Esse + nome será inserido na requisição de certificado. + . + Exemplo : Sao Paulo + +Template: openswan/x509_organization_name +Type: string +Default: +Description: Please enter the organization name for the X509 certificate request. + Please enter the organization (e.g. company) that the X509 certificate + should be created for. This name will be placed in the certificate + request. + . + Example: Debian +Description-fr: Organisme : + Veuillez indiquer l'organisme (p. ex. l'entreprise) pour qui sera créé le + certificat X509. Ce nom sera inclus dans la demande de certificat. + . + Exemple : Debian +Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÁÈ¿¥Ì¾¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + X509 ¾ÚÌÀ½ñ¤ÎÀ¸À®ÂоݤȤʤë¤Ù¤­ÁÈ¿¥ (Îã: ²ñ¼Ò) + ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ + . + Îã: Debian +Description-pt_BR: Por favor, informe o nome da organização para a requisição de certificado X509. + Por favor, informe a organização (ou seja, a empresa) para a qual este + certificado X509 deverá ser criado. Esse nome será inserido na requisição + de certificado. + . + Exemplo : Debian + +Template: openswan/x509_organizational_unit +Type: string +Default: +Description: Please enter the organizational unit for the X509 certificate request. + Please enter the organizational unit (e.g. section) that the X509 + certificate should be created for. This name will be placed in the + certificate request. + . + Example: security group +Description-fr: Unité d'organisation : + Veuillez indiquer l'unité d'organisation (p. ex. département, division, + etc.) pour qui sera créé le certificat X509. Ce nom sera inclus dans la + demande de certificat. + . + Exemple : Département Réseaux et Informatique Scientifique +Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ëÁÈ¿¥Ã±°Ì¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + X509 ¾ÚÌÀ½ñ¤ÎÀ¸À®ÂоݤȤʤë¤Ù¤­ÁÈ¿¥Ã±°Ì (Îã: Éô½ð̾) + ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ + . + Îã: security group +Description-pt_BR: Por favor, informe a unidade organizacional para a requisição de certificado X509. + Por favor, informe a unidade organizacional (ou seja, seção ou + departamento) para a qual este certificado deverá ser criado. Esse nome + será inserido na requisição de certificado. + . + Exemplo : Grupo de Segurança + +Template: openswan/x509_common_name +Type: string +Default: +Description: Please enter the common name for the X509 certificate request. + Please enter the common name (e.g. the host name of this machine) for + which the X509 certificate should be created for. This name will be placed + in the certificate request. + . + Example: gateway.debian.org +Description-fr: Nom ordinaire (« common name ») : + Veuillez indiquer le nom ordinaire (p. ex. le nom réseau de cette machine) + pour qui sera créé le certificat X509. Ce nom sera inclus dans la demande + de certificat. + . + Exemple : gateway.debian.org +Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ë¥³¥â¥ó¥Í¡¼¥à¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + X509 ¾ÚÌÀ½ñ¤ÎÀ¸À®ÂоݤȤʤë¤Ù¤­¥³¥â¥ó¥Í¡¼¥à (Îã: ¤³¤Î¥Þ¥·¥ó¤Î¥Û¥¹¥È̾) + ¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ + . + Îã: gateway.debian.org +Description-pt_BR: Por favor, informe o nome comum para a requisição de certificado X509. + Por favor, informe o nome comum (ou seja, o nome do host dessa máquina) + para o qual o certificado X509 deverá ser criado. Esse nome será inserido + na requisição de certificado. + . + Exemplo : gateway.debian.org + +Template: openswan/x509_email_address +Type: string +Default: +Description: Please enter the email address for the X509 certificate request. + Please enter the email address of the person or organization who is + responsible for the X509 certificate, This address will be placed in the + certificate request. +Description-fr: Adresse électronique : + Veuillez indiquer l'adresse électronique de la personne ou de l'organisme + responsable du certificat X509. Cette adresse sera incluse dans la demande + de certificat. +Description-ja: X509 ¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤¹¤ë¥á¡¼¥ë¥¢¥É¥ì¥¹¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£ + X509 + ¾ÚÌÀ½ñ¤ÎÀÕǤ¼Ô¤È¤Ê¤ë¿Íʪ¡¦ÃÄÂΤΥ᡼¥ë¥¢¥É¥ì¥¹¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£¤³¤Î¥¢¥É¥ì¥¹¤Ï¾ÚÌÀ½ñÍ×µá¤Ëµ­ºÜ¤µ¤ì¤Þ¤¹¡£ +Description-pt_BR: Por favor, informe o endereço de e-mail para a requisição de certificado X509. + Por favor, informe o endereço de e-mail da pessoa ou organização + responsável pelo certificado X509. Esse endereço será inserido na + requisição de certificado. + +Template: openswan/enable-oe +Type: boolean +Default: false +Description: Do you wish to enable opportunistic encryption in Openswan? + Openswan comes with support for opportunistic encryption (OE), which stores + IPSec authentication information (i.e. RSA public keys) in (preferably + secure) DNS records. Until this is widely deployed, activating it will + cause a significant slow-down for every new, outgoing connection. Since + version 2.0, Openswan upstream comes with OE enabled by default and is thus + likely to break you existing connection to the Internet (i.e. your default + route) as soon as pluto (the Openswan keying daemon) is started. + . + Please choose whether you want to enable support for OE. If unsure, do not + enable it. +Description-fr: Souhaitez-vous activer le chiffrement opportuniste dansOpenswan ? + Openswan gère le chiffrement opportuniste (« opportunistic encryption » : + OE) qui permet de conserver les informations d'authentification IPSec + (c'est-à-dire les clés publiques RSA) dans des enregistrements DNS, de + préférence sécurisés. Tant que cette fonctionnalité ne sera pas déployée + largement, son activation provoquera un ralentissement significatif pour + toute nouvelle connexion sortante. À partir de la version 2.0, cette + fonctionnalité est activée par défaut dans Openswan, ce qui peut + interrompre le fonctionnement de votre connexion à l'Internet + (c'est-à-dire votre route par défaut) dès le démarrage de pluto, le démon + de gestion de clés d'Openswan. + . + Veuillez choisir si vous souhaitez activer la gestion du chiffrement + opportuniste. Ne l'activez pas si vous n'êtes pas certain d'en avoir + besoin. +Description-ja: Openswan ¤Ç opportunistic encryption ¤òÍ­¸ú¤Ë¤·¤Þ¤¹¤«? + Openswan ¤Ï¡¢IPSec ǧ¾Ú¾ðÊó (Îã: RSA ¸ø³«¸°) ¤ò (´ê¤ï¤¯¤Ï¥»¥­¥å¥¢¤Ê) DNS + ¥ì¥³¡¼¥ÉÆâ¤ËÊݸ¤¹¤ë opportunistic encryption (OE) + ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤Ï¹­¤¯ÍøÍѤµ¤ì¤ë¤è¤¦¤Ë¤Ê¤ë¤Þ¤Ç¡¢¤³¤ì¤òÍ­¸ú¤Ë¤¹¤ë¤³¤È¤ÇÁ´¤Æ¤Î³°Éô¤Ø¤Î¿·µ¬Àܳ¤Ï³ÊÃʤËÃÙ¤¯¤Ê¤ê¤Þ¤¹¡£¥Ð¡¼¥¸¥ç¥ó + 2.0 ¤è¤ê¡¢Openswan ¤Î³«È¯¸µ¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç OE ¤òÍ­¸ú¤Ë¤·¤Æ¤ª¤ê¡¢¤·¤¿¤¬¤Ã¤Æ + plute (Openswan ¸°½ð̾¥Ç¡¼¥â¥ó) + ¤¬³«»Ï¤µ¤ì¤ë¤Þ¤Ç¡¢¤¹¤Ç¤Ë¤¢¤ë¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤Ø¤ÎÀܳ + (¤Ä¤Þ¤ê¥Ç¥Õ¥©¥ë¥È¥ë¡¼¥È) ¤¬ÃæÃǤµ¤ì¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£ + . + OE + ¤Î¥µ¥Ý¡¼¥È¤òÍ­¸ú¤Ë¤¹¤ë¤«¤É¤¦¤«¤òÁª¤ó¤Ç¤¯¤À¤µ¤¤¡£¤è¤¯¤ï¤«¤é¤Ê¤¤¾ì¹ç¤Ï¡¢Í­¸ú¤Ë¤Ï¤·¤Ê¤¤¤Ç¤¯¤À¤µ¤¤¡£ +Description-pt_BR: Você deseja habilitar a encriptação oportunística no Openswan ? + O Openswan suporta encriptação oportunística (OE), a qual armazena + informações de autenticação IPSec (por exemplo, chaves públicas RSA) em + registros DNS (preferivelmente seguros). Até que esse suporte esteja + largamento sendo utilizado, ativá-lo irá causar uma signficante lentidão + para cada nova conexão de saída. Iniciando a partir da versão 2.0, o + Openswan, da forma como é distribuído pelos desenvolvedores oficiais, é + fornecido com o suporte a OE habilitado por padrão e, portanto, + provavelmente irá quebrar suas conexões existentes com a Internet (por + exemplo, sua rota padrão) tão logo o pluto (o daemon de troca de chaves do + Openswan) seja iniciado. + . + Por favor, informe se você deseja habilitar o suporte a OE. Em caso de + dúvidas, não habilite esse suporte. diff --git a/debian/strongswan.templates.master b/debian/strongswan.templates.master new file mode 100644 index 000000000..3da305930 --- /dev/null +++ b/debian/strongswan.templates.master @@ -0,0 +1,207 @@ +Template: strongswan/start_level +Type: select +_Choices: earliest, "after NFS", "after PCMCIA" +Default: earliest +_Description: At which level do you wish to start strongSwan ? + With the current Debian startup levels (nearly everything starting in + level 20), it is impossible for strongSwan to always start at the correct + time. There are three possibilities when strongSwan can start: before or + after the NFS services and after the PCMCIA services. The correct answer + depends on your specific setup. + . + If you do not have your /usr tree mounted via NFS (either you only mount + other, less vital trees via NFS or don't use NFS mounted trees at all) and + don't use a PCMCIA network card, then it's best to start strongSwan at + the earliest possible time, thus allowing the NFS mounts to be secured by + IPSec. In this case (or if you don't understand or care about this + issue), answer "earliest" to this question (the default). + . + If you have your /usr tree mounted via NFS and don't use a PCMCIA network + card, then you will need to start strongSwan after NFS so that all + necessary files are available. In this case, answer "after NFS" to this + question. Please note that the NFS mount of /usr can not be secured by + IPSec in this case. + . + If you use a PCMCIA network card for your IPSec connections, then you only + have to choose to start it after the PCMCIA services. Answer "after + PCMCIA" in this case. This is also the correct answer if you want to fetch + keys from a locally running DNS server with DNSSec support. + +Template: strongswan/restart +Type: boolean +Default: true +_Description: Do you wish to restart strongSwan? + Restarting strongSwan is a good idea, since if there is a security fix, it + will not be fixed until the daemon restarts. Most people expect the daemon + to restart, so this is generally a good idea. However this might take down + existing connections and then bring them back up. + +Template: strongswan/create_rsa_key +Type: boolean +Default: true +_Description: Do you want to create a RSA public/private keypair for this host ? + This installer can automatically create a RSA public/private keypair for + this host. This keypair can be used to authenticate IPSec connections to + other hosts and is the preferred way for building up secure IPSec + connections. The other possibility would be to use shared secrets + (passwords that are the same on both sides of the tunnel) for + authenticating an connection, but for a larger number of connections RSA + authentication is easier to administer and more secure. + . + If you do not want to create a new public/private keypair, you can choose to + use an existing one. + +Template: strongswan/rsa_key_type +Type: select +_Choices: x509, plain +Default: x509 +_Description: Which type of RSA keypair do you want to create ? + It is possible to create a plain RSA public/private keypair for use + with strongSwan or to create a X509 certificate file which contains the RSA + public key and additionally stores the corresponding private key. + . + If you only want to build up IPSec connections to hosts also running + strongSwan, it might be a bit easier using plain RSA keypairs. But if you + want to connect to other IPSec implementations, you will need a X509 + certificate. It is also possible to create a X509 certificate here and + extract the RSA public key in plain format if the other side runs + strongSwan without X509 certificate support. + . + Therefore a X509 certificate is recommended since it is more flexible and + this installer should be able to hide the complex creation of the X509 + certificate and its use in strongSwan anyway. + +Template: strongswan/existing_x509_certificate +Type: boolean +Default: false +_Description: Do you have an existing X509 certificate file that you want to use for strongSwan ? + This installer can automatically extract the needed information from an + existing X509 certificate with a matching RSA private key. Both parts can + be in one file, if it is in PEM format. Do you have such an existing + certificate and key file and want to use it for authenticating IPSec + connections ? + +Template: strongswan/existing_x509_certificate_filename +Type: string +_Description: Please enter the location of your X509 certificate in PEM format. + Please enter the location of the file containing your X509 certificate in + PEM format. + +Template: strongswan/existing_x509_key_filename +Type: string +_Description: Please enter the location of your X509 private key in PEM format. + Please enter the location of the file containing the private RSA key + matching your X509 certificate in PEM format. This can be the same file + that contains the X509 certificate. + +Template: strongswan/rsa_key_length +Type: string +Default: 2048 +_Description: Which length should the created RSA key have ? + Please enter the length of the created RSA key. it should not be less than + 1024 bits because this should be considered unsecure and you will probably + not need anything more than 2048 bits because it only slows the + authentication process down and is not needed at the moment. + +Template: strongswan/x509_self_signed +Type: boolean +Default: true +_Description: Do you want to create a self-signed X509 certificate ? + This installer can only create self-signed X509 certificates + automatically, because otherwise a certificate authority is needed to sign + the certificate request. If you want to create a self-signed certificate, + you can use it immediately to connect to other IPSec hosts that support + X509 certificate for authentication of IPSec connections. However, if you + want to use the new PKI features of strongSwan >= 1.91, you will need to + have all X509 certificates signed by a single certificate authority to + create a trust path. + . + If you do not want to create a self-signed certificate, then this + installer will only create the RSA private key and the certificate request + and you will have to sign the certificate request with your certificate + authority. + +Template: strongswan/x509_country_code +Type: string +Default: AT +_Description: Please enter the country code for the X509 certificate request. + Please enter the 2 letter country code for your country. This code will be + placed in the certificate request. + . + You really need to enter a valid country code here, because openssl will + refuse to generate certificates without one. An empty field is allowed for + any other field of the X.509 certificate, but not for this one. + . + Example: AT + +Template: strongswan/x509_state_name +Type: string +Default: +_Description: Please enter the state or province name for the X509 certificate request. + Please enter the full name of the state or province you live in. This name + will be placed in the certificate request. + . + Example: Upper Austria + +Template: strongswan/x509_locality_name +Type: string +Default: +_Description: Please enter the locality name for the X509 certificate request. + Please enter the locality (e.g. city) where you live. This name will be + placed in the certificate request. + . + Example: Vienna + +Template: strongswan/x509_organization_name +Type: string +Default: +_Description: Please enter the organization name for the X509 certificate request. + Please enter the organization (e.g. company) that the X509 certificate + should be created for. This name will be placed in the certificate + request. + . + Example: Debian + +Template: strongswan/x509_organizational_unit +Type: string +Default: +_Description: Please enter the organizational unit for the X509 certificate request. + Please enter the organizational unit (e.g. section) that the X509 + certificate should be created for. This name will be placed in the + certificate request. + . + Example: security group + +Template: strongswan/x509_common_name +Type: string +Default: +_Description: Please enter the common name for the X509 certificate request. + Please enter the common name (e.g. the host name of this machine) for + which the X509 certificate should be created for. This name will be placed + in the certificate request. + . + Example: gateway.debian.org + +Template: strongswan/x509_email_address +Type: string +Default: +_Description: Please enter the email address for the X509 certificate request. + Please enter the email address of the person or organization who is + responsible for the X509 certificate, This address will be placed in the + certificate request. + +Template: strongswan/enable-oe +Type: boolean +Default: false +_Description: Do you wish to enable opportunistic encryption in strongSwan? + strongSwan comes with support for opportunistic encryption (OE), which stores + IPSec authentication information (i.e. RSA public keys) in (preferably + secure) DNS records. Until this is widely deployed, activating it will + cause a significant slow-down for every new, outgoing connection. Since + version 2.0, strongSwan upstream comes with OE enabled by default and is thus + likely to break your existing connection to the Internet (i.e. your default + route) as soon as pluto (the strongSwan keying daemon) is started. + . + Please choose whether you want to enable support for OE. If unsure, do not + enable it. + -- cgit v1.2.3