# These templates have been reviewed by the debian-l10n-english # team # # If modifications/additions/rewording are needed, please ask # debian-l10n-english@lists.debian.org for advice. # # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. Template: strongswan/start_level Type: select __Choices: earliest, after NFS, after PCMCIA Default: earliest _Description: When to start strongSwan: StrongSwan starts during system startup so that it can protect filesystems that are automatically mounted. . * earliest: if /usr is not mounted through NFS and you don't use a PCMCIA network card, it is best to start strongSwan as soon as possible, so that NFS mounts can be secured by IPSec; * after NFS: recommended when /usr is mounted through NFS and no PCMCIA network card is used; * after PCMCIA: recommended if the IPSec connection uses a PCMCIA network card or if it needs keys to be fetched from a locally running DNS server with DNSSec support. Template: strongswan/restart Type: boolean Default: true _Description: Restart strongSwan now? Restarting strongSwan is recommended, because if there is a security fix, it will not be applied until the daemon restarts. However, this might close existing connections and then bring them back up. . If you don't restart strongSwan now, you should do so manually at the first opportunity. Template: strongswan/ikev1 Type: boolean Default: true _Description: Start strongSwan's IKEv1 daemon? The pluto daemon must be running to support version 1 of the Internet Key Exchange protocol. Template: strongswan/ikev2 Type: boolean Default: true _Description: Start strongSwan's IKEv2 daemon? The charon daemon must be running to support version 2 of the Internet Key Exchange protocol. Template: strongswan/create_rsa_key Type: boolean Default: true _Description: Create an RSA public/private keypair for this host? StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate IPSec connections to other hosts. RSA authentication is generally considered more secure and is easier to administer. You can use PSK and RSA authentication simultaneously. . If you do not want to create a new public/private keypair, you can choose to use an existing one in the next step. Template: strongswan/existing_x509_certificate Type: boolean Default: false _Description: Use an existing X.509 certificate for strongSwan? The required information can automatically be extracted from an existing X.509 certificate with a matching RSA private key. Both parts can be in one file, if it is in PEM format. You should choose this option if you have such an existing certificate and key file and want to use it for authenticating IPSec connections. Template: strongswan/existing_x509_certificate_filename Type: string _Description: File name of your X.509 certificate in PEM format: Please enter the full location of the file containing your X.509 certificate in PEM format. Template: strongswan/existing_x509_key_filename Type: string _Description: File name of your existing X.509 private key in PEM format: Please enter the full location of the file containing the private RSA key matching your X.509 certificate in PEM format. This can be the same file as the X.509 certificate. Template: strongswan/rsa_key_length Type: string Default: 2048 _Description: RSA key length: Please enter the length of RSA key you wish to generate. A value of less than 1024 bits is not considered secure. A value of more than 2048 bits will probably affect performance. Template: strongswan/x509_self_signed Type: boolean Default: true _Description: Create a self-signed X.509 certificate? Only self-signed X.509 certificates can be created automatically, because otherwise a certificate authority is needed to sign the certificate request. . If you accept this option, the certificate created can be used immediately to connect to other IPSec hosts that support authentication via an X.509 certificate. However, using strongSwan's PKI features requires a trust path to be created by having all X.509 certificates signed by a single authority. . If you do not accept this option, only the RSA private key will be created, along with a certificate request which you will need to have signed by a certificate authority. Template: strongswan/x509_country_code Type: string Default: AT _Description: Country code for the X.509 certificate request: Please enter the two-letter ISO3166 country code that should be used in the certificate request. . This field is mandatory; otherwise a certificate cannot be generated. Template: strongswan/x509_state_name Type: string Default: _Description: State or province name for the X.509 certificate request: Please enter the full name of the state or province to include in the certificate request. Template: strongswan/x509_locality_name Type: string Default: _Description: Locality name for the X.509 certificate request: Please enter the locality name (often a city) that should be used in the certificate request. Template: strongswan/x509_organization_name Type: string Default: _Description: Organization name for the X.509 certificate request: Please enter the organization name (often a company) that should be used in the certificate request. Template: strongswan/x509_organizational_unit Type: string Default: _Description: Organizational unit for the X.509 certificate request: Please enter the organizational unit name (often a department) that should be used in the certificate request. Template: strongswan/x509_common_name Type: string Default: _Description: Common name for the X.509 certificate request: Please enter the common name (such as the host name of this machine) that should be used in the certificate request. Template: strongswan/x509_email_address Type: string Default: _Description: Email address for the X.509 certificate request: Please enter the email address (for the individual or organization responsible) that should be used in the certificate request. Template: strongswan/enable-oe Type: boolean Default: false _Description: Enable opportunistic encryption? This version of strongSwan supports opportunistic encryption (OE), which stores IPSec authentication information in DNS records. Until this is widely deployed, activating it will cause a significant delay for every new outgoing connection. . You should only enable opportunistic encryption if you are sure you want it. It may break the Internet connection (default route) as the pluto daemon starts.