1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
# These templates have been reviewed by the debian-l10n-english
# team
#
# If modifications/additions/rewording are needed, please ask
# debian-l10n-english@lists.debian.org for advice.
#
# Even minor modifications require translation updates and such
# changes should be coordinated with translators and reviewers.
Template: strongswan/start_level
Type: select
__Choices: earliest, after NFS, after PCMCIA
Default: earliest
_Description: When to start strongSwan:
StrongSwan starts during system startup so that it can protect filesystems
that are automatically mounted.
.
* earliest: if /usr is not mounted through NFS and you don't use a
PCMCIA network card, it is best to start strongSwan as soon as
possible, so that NFS mounts can be secured by IPSec;
* after NFS: recommended when /usr is mounted through NFS and no
PCMCIA network card is used;
* after PCMCIA: recommended if the IPSec connection uses a PCMCIA
network card or if it needs keys to be fetched from a locally running DNS
server with DNSSec support.
Template: strongswan/restart
Type: boolean
Default: true
_Description: Restart strongSwan now?
Restarting strongSwan is recommended, because if there is a security fix, it
will not be applied until the daemon restarts. However, this might close
existing connections and then bring them back up.
.
If you don't restart strongSwan now, you should do so manually at the first
opportunity.
Template: strongswan/ikev1
Type: boolean
Default: true
_Description: Start strongSwan's IKEv1 daemon?
The pluto daemon must be running to support version 1 of the Internet Key
Exchange protocol.
Template: strongswan/ikev2
Type: boolean
Default: true
_Description: Start strongSwan's IKEv2 daemon?
The charon daemon must be running to support version 2 of the Internet Key
Exchange protocol.
Template: strongswan/create_rsa_key
Type: boolean
Default: true
_Description: Create an RSA public/private keypair for this host?
StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate
IPSec connections to other hosts. RSA authentication is generally considered
more secure and is easier to administer. You can use PSK and RSA authentication
simultaneously.
.
If you do not want to create a new public/private keypair, you can choose to
use an existing one in the next step.
Template: strongswan/existing_x509_certificate
Type: boolean
Default: false
_Description: Use an existing X.509 certificate for strongSwan?
The required information can automatically be extracted from an
existing X.509 certificate with a matching RSA private key. Both parts can
be in one file, if it is in PEM format.
You should choose this option if you have such an existing
certificate and key file and want to use it for authenticating IPSec
connections.
Template: strongswan/existing_x509_certificate_filename
Type: string
_Description: File name of your X.509 certificate in PEM format:
Please enter the full location of the file containing your X.509
certificate in PEM format.
Template: strongswan/existing_x509_key_filename
Type: string
_Description: File name of your existing X.509 private key in PEM format:
Please enter the full location of the file containing the private RSA key
matching your X.509 certificate in PEM format. This can be the same file
as the X.509 certificate.
Template: strongswan/rsa_key_length
Type: string
Default: 2048
_Description: RSA key length:
Please enter the length of RSA key you wish to generate. A value of less than
1024 bits is not considered secure. A value of more than 2048 bits will
probably affect performance.
Template: strongswan/x509_self_signed
Type: boolean
Default: true
_Description: Create a self-signed X.509 certificate?
Only self-signed X.509 certificates can be created
automatically, because otherwise a certificate authority is needed to sign
the certificate request.
.
If you accept this option, the certificate created can be used
immediately to connect to other IPSec hosts that support authentication via
an X.509 certificate. However, using strongSwan's PKI features requires a
trust path to be created by having all X.509 certificates signed by a single
authority.
.
If you do not accept this option, only the RSA private key will be created,
along with a certificate request which you will need to have signed by a
certificate authority.
Template: strongswan/x509_country_code
Type: string
Default: AT
_Description: Country code for the X.509 certificate request:
Please enter the two-letter ISO3166 country code that should be
used in the certificate request.
.
This field is mandatory; otherwise a certificate cannot be generated.
Template: strongswan/x509_state_name
Type: string
Default:
_Description: State or province name for the X.509 certificate request:
Please enter the full name of the state or province to include in
the certificate request.
Template: strongswan/x509_locality_name
Type: string
Default:
_Description: Locality name for the X.509 certificate request:
Please enter the locality name (often a city)
that should be used in the certificate request.
Template: strongswan/x509_organization_name
Type: string
Default:
_Description: Organization name for the X.509 certificate request:
Please enter the organization name (often a company)
that should be used in the certificate request.
Template: strongswan/x509_organizational_unit
Type: string
Default:
_Description: Organizational unit for the X.509 certificate request:
Please enter the organizational unit name (often a department)
that should be used in the certificate request.
Template: strongswan/x509_common_name
Type: string
Default:
_Description: Common name for the X.509 certificate request:
Please enter the common name (such as the host name of this machine)
that should be used in the certificate request.
Template: strongswan/x509_email_address
Type: string
Default:
_Description: Email address for the X.509 certificate request:
Please enter the email address (for the individual or organization responsible)
that should be used in the certificate request.
Template: strongswan/enable-oe
Type: boolean
Default: false
_Description: Enable opportunistic encryption?
This version of strongSwan supports opportunistic encryption (OE), which stores
IPSec authentication information in
DNS records. Until this is widely deployed, activating it will
cause a significant delay for every new outgoing connection.
.
You should only enable opportunistic encryption if you are sure you want it.
It may break the Internet connection (default route) as the pluto daemon
starts.
|
