1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
# These templates have been reviewed by the debian-l10n-english
# team
#
# If modifications/additions/rewording are needed, please ask
# debian-l10n-english@lists.debian.org for advice.
#
# Even minor modifications require translation updates and such
# changes should be coordinated with translators and reviewers.
Template: strongswan/runlevel_changes
Type: note
_Description: Old runlevel management superseded
Previous versions of the strongSwan package gave a choice between
three different Start/Stop-Levels. Due to changes in the standard system
startup procedure, this is no longer necessary or useful. For all new
installations as well as old ones running in any of the predefined modes,
sane default levels will now be set. If you are upgrading from a previous
version and changed your strongSwan startup parameters, then please take a
look at NEWS.Debian for instructions on how to modify your setup accordingly.
Template: strongswan/restart
Type: boolean
Default: true
_Description: Restart strongSwan now?
Restarting strongSwan is recommended, since if there is a security fix, it
will not be applied until the daemon restarts. Most people expect the daemon
to restart, so this is generally a good idea. However, this might take down
existing connections and then bring them back up, so if you are using such
a strongSwan tunnel to connect for this update, restarting is not recommended.
Template: strongswan/ikev1
Type: boolean
Default: true
_Description: Start strongSwan's IKEv1 daemon?
The pluto daemon must be running to support version 1 of the Internet Key
Exchange protocol.
Template: strongswan/ikev2
Type: boolean
Default: true
_Description: Start strongSwan's IKEv2 daemon?
The charon daemon must be running to support version 2 of the Internet Key
Exchange protocol.
Template: strongswan/install_x509_certificate
Type: boolean
Default: false
_Description: Use an X.509 certificate for this host?
An X.509 certificate for this host can be automatically created or imported.
It can be used to authenticate IPsec connections to other hosts
and is the preferred way of building up secure IPsec connections. The other
possibility would be to use shared secrets (passwords that are the same on
both sides of the tunnel) for authenticating a connection, but for a larger
number of connections, key based authentication is easier to administer and
more secure.
.
Alternatively you can reject this option and later use the command
"dpkg-reconfigure strongswan" to come back.
Template: strongswan/how_to_get_x509_certificate
Type: select
__Choices: create, import
Default: create
_Description: Methods for using a X.509 certificate to authenticate this host:
It is possible to create a new X.509 certificate with user-defined settings
or to import an existing public and private key stored in PEM file(s) for
authenticating IPsec connections.
.
If you choose to create a new X.509 certificate you will first be asked
a number of questions which must be answered before the creation can start.
Please keep in mind that if you want the public key to get signed by
an existing Certificate Authority you should not select to create a
self-signed certificate and all the answers given must match exactly the
requirements of the CA, otherwise the certificate request may be rejected.
.
If you want to import an existing public and private key you will be
prompted for their filenames (which may be identical if both parts are stored
together in one file). Optionally you may also specify a filename where the
public key(s) of the Certificate Authority are kept, but this file cannot
be the same as the former ones. Please also be aware that the format for the
X.509 certificates has to be PEM and that the private key must not be encrypted
or the import procedure will fail.
Template: strongswan/existing_x509_certificate_filename
Type: string
_Description: File name of your PEM format X.509 certificate:
Please enter the location of the file containing your X.509 certificate in
PEM format.
Template: strongswan/existing_x509_key_filename
Type: string
_Description: File name of your PEM format X.509 private key:
Please enter the location of the file containing the private RSA key
matching your X.509 certificate in PEM format. This can be the same file
that contains the X.509 certificate.
Template: strongswan/existing_x509_rootca_filename
Type: string
_Description: File name of your PEM format X.509 RootCA:
Optionally you can now enter the location of the file containing the X.509
Certificate Authority root used to sign your certificate in PEM format. If you
do not have one or do not want to use it please leave the field empty. Please
note that it's not possible to store the RootCA in the same file as your X.509
certificate or private key.
Template: strongswan/rsa_key_length
Type: string
Default: 2048
_Description: Please enter which length the created RSA key should have:
Please enter the length of the created RSA key. It should not be less than
1024 bits because this should be considered unsecure and you will probably
not need anything more than 4096 bits because it only slows the
authentication process down and is not needed at the moment.
Template: strongswan/x509_self_signed
Type: boolean
Default: true
_Description: Create a self-signed X.509 certificate?
Only self-signed X.509 certificates can be created
automatically, because otherwise a Certificate Authority is needed to sign
the certificate request. If you choose to create a self-signed certificate,
you can use it immediately to connect to other IPsec hosts that support
X.509 certificate for authentication of IPsec connections. However, using
strongSwan's PKI features requires all certificates to be signed by a single
Certificate Authority to create a trust path.
.
If you do not choose to create a self-signed certificate, only the RSA
private key and the certificate request will be created, and you will
have to sign the certificate request with your Certificate Authority.
Template: strongswan/x509_country_code
Type: string
Default: AT
_Description: Country code for the X.509 certificate request:
Please enter the two-letter code for the country the server resides in
(such as "AT" for Austria).
.
OpenSSL will refuse to generate a certificate unless this is a valid
ISO-3166 country code; an empty field is allowed elsewhere in the X.509
certificate, but not here.
Template: strongswan/x509_state_name
Type: string
Default:
_Description: State or province name for the X.509 certificate request:
Please enter the full name of the state or province the server resides in
(such as "Upper Austria").
Template: strongswan/x509_locality_name
Type: string
Default:
_Description: Locality name for the X.509 certificate request:
Please enter the locality the server resides in (often a city, such
as "Vienna").
Template: strongswan/x509_organization_name
Type: string
Default:
_Description: Organization name for the X.509 certificate request:
Please enter the organization the server belongs to (such as "Debian").
Template: strongswan/x509_organizational_unit
Type: string
Default:
_Description: Organizational unit for the X.509 certificate request:
Please enter the organizational unit the server belongs to (such as
"security group").
Template: strongswan/x509_common_name
Type: string
Default:
_Description: Common Name for the X.509 certificate request:
Please enter the Common Name for this host (such as
"gateway.example.org").
Template: strongswan/x509_email_address
Type: string
Default:
_Description: Email address for the X.509 certificate request:
Please enter the email address of the person or organization
responsible for the X.509 certificate.
Template: strongswan/enable-oe
Type: boolean
Default: false
_Description: Enable opportunistic encryption?
This version of strongSwan supports opportunistic encryption (OE), which stores
IPSec authentication information in
DNS records. Until this is widely deployed, activating it will
cause a significant delay for every new outgoing connection.
.
You should only enable opportunistic encryption if you are sure you want it.
It may break the Internet connection (default route) as the pluto daemon
starts.
|