The strongswan package introduced new or modified debconf templates. This is the perfect moment for a review to help the package maintainer following the general suggested writing style and track down typos and errors in the use of English language. If someone wants to pick up this review, please answer to this mail, in the mailing list, with an [ITR] (Intent To Review) label. The templates file is attached. To propose the file you reviewed for peer review, please send a [RFR] (Request For Review) mail with the reviewed file attached...then a few days later, when no more contributions come, a summary mail with a [LCFC] (Last Chance For Comments) label. Finally, after no more comments coming to the LCFC mail, you can send the reviewed templates file as a bug report against the package. Then, please notify the list with a last mail using a [BTS] label with the bug number. Helping the package maintainer to deal with induced translation updates at that moment will be nice. If you're not comfortable with that part of the process, please hand it off to a translator. --
Template: strongswan/start_level Type: select _Choices: earliest, "after NFS", "after PCMCIA" Default: earliest _Description: When to start strongSwan: There are three possibilities when strongSwan can start: before or after the NFS services and after the PCMCIA services. The correct answer depends on your specific setup. . If you do not have your /usr tree mounted via NFS (either you only mount other, less vital trees via NFS or don't use NFS mounted trees at all) and don't use a PCMCIA network card, then it's best to start strongSwan at the earliest possible time, thus allowing the NFS mounts to be secured by IPSec. In this case (or if you don't understand or care about this issue), answer "earliest" to this question (the default). . If you have your /usr tree mounted via NFS and don't use a PCMCIA network card, then you will need to start strongSwan after NFS so that all necessary files are available. In this case, answer "after NFS" to this question. Please note that the NFS mount of /usr can not be secured by IPSec in this case. . If you use a PCMCIA network card for your IPSec connections, then you only have to choose to start it after the PCMCIA services. Answer "after PCMCIA" in this case. This is also the correct answer if you want to fetch keys from a locally running DNS server with DNSSec support. Template: strongswan/restart Type: boolean Default: true _Description: Do you wish to restart strongSwan? Restarting strongSwan is a good idea, since if there is a security fix, it will not be fixed until the daemon restarts. Most people expect the daemon to restart, so this is generally a good idea. However this might take down existing connections and then bring them back up. Template: strongswan/ikev1 Type: boolean Default: true _Description: Do you wish to support IKEv1? strongSwan supports both versions of the Internet Key Exchange protocol, IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support when strongSwan is started? Template: strongswan/ikev2 Type: boolean Default: true _Description: Do you wish to support IKEv2? strongSwan supports both versions of the Internet Key Exchange protocol, IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support when strongSwan is started? Template: strongswan/create_rsa_key Type: boolean Default: true _Description: Do you want to create a RSA public/private keypair for this host? This installer can automatically create a RSA public/private keypair with an X.509 certificate for this host. This can be used to authenticate IPSec connections to other hosts and is the preferred way for building up secure IPSec connections. The other possibility would be to use pre-shared secrets (PSKs, passwords that are the same on both sides of the tunnel) for authenticating an connection, but for a larger number of connections RSA authentication is easier to administer and more secure. Note that having a keypair allows to use both X.509 and PSK authentication for IPsec tunnels. . If you do not want to create a new public/private keypair, you can choose to use an existing one in the next step. Template: strongswan/existing_x509_certificate Type: boolean Default: false _Description: Do you have an existing X.509 certificate file for strongSwan? This installer can automatically extract the needed information from an existing X.509 certificate with a matching RSA private key. Both parts can be in one file, if it is in PEM format. If you have such an existing certificate and key file and want to use it for authenticating IPSec connections, then please answer yes. Template: strongswan/existing_x509_certificate_filename Type: string _Description: File name of your X.509 certificate in PEM format: Please enter the full location of the file containing your X.509 certificate in PEM format. Template: strongswan/existing_x509_key_filename Type: string _Description: File name of your X.509 private key in PEM format: Please enter the full location of the file containing the private RSA key matching your X.509 certificate in PEM format. This can be the same file that contains the X.509 certificate. Template: strongswan/rsa_key_length Type: string Default: 2048 _Description: The length of the created RSA key (in bits): Please enter the length of the created RSA key. It should not be less than 1024 bits because this should be considered unsecure and you will probably not need anything more than 2048 bits because it only slows the authentication process down and is not needed at the moment. Template: strongswan/x509_self_signed Type: boolean Default: true _Description: Do you want to create a self-signed X.509 certificate? This installer can only create self-signed X.509 certificates automatically, because otherwise a certificate authority is needed to sign the certificate request. If you want to create a self-signed certificate, you can use it immediately to connect to other IPSec hosts that support X.509 certificate for authentication of IPSec connections. However, if you want to use the new PKI features of strongSwan >= 1.91, you will need to have all X.509 certificates signed by a single certificate authority to create a trust path. . If you do not want to create a self-signed certificate, then this installer will only create the RSA private key and the certificate request and you will have to get the certificate request signed by your certificate authority. Template: strongswan/x509_country_code Type: string Default: AT _Description: Country code for the X.509 certificate request: Please enter the 2 letter country code for your country. This code will be placed in the certificate request. . You really need to enter a valid country code here, because openssl will refuse to generate certificates without one. An empty field is allowed for any other field of the X.509 certificate, but not for this one. . Example: AT Template: strongswan/x509_state_name Type: string Default: _Description: State or province name for the X.509 certificate request: Please enter the full name of the state or province you live in. This name will be placed in the certificate request. . Example: Upper Austria Template: strongswan/x509_locality_name Type: string Default: _Description: Locality name for the X.509 certificate request: Please enter the locality (e.g. city) where you live. This name will be placed in the certificate request. . Example: Vienna Template: strongswan/x509_organization_name Type: string Default: _Description: Organization name for the X.509 certificate request: Please enter the organization (e.g. company) that the X.509 certificate should be created for. This name will be placed in the certificate request. . Example: Debian Template: strongswan/x509_organizational_unit Type: string Default: _Description: Organizational unit for the X.509 certificate request: Please enter the organizational unit (e.g. section) that the X.509 certificate should be created for. This name will be placed in the certificate request. . Example: security group Template: strongswan/x509_common_name Type: string Default: _Description: Common name for the X.509 certificate request: Please enter the common name (e.g. the host name of this machine) for which the X.509 certificate should be created for. This name will be placed in the certificate request. . Example: gateway.debian.org Template: strongswan/x509_email_address Type: string Default: _Description: Email address for the X.509 certificate request: Please enter the email address of the person or organization who is responsible for the X.509 certificate. This address will be placed in the certificate request. Template: strongswan/enable-oe Type: boolean Default: false _Description: Do you wish to enable opportunistic encryption in strongSwan? strongSwan comes with support for opportunistic encryption (OE), which stores IPSec authentication information (i.e. RSA public keys) in (preferably secure) DNS records. Until this is widely deployed, activating it will cause a significant slow-down for every new, outgoing connection. Since version 2.0, strongSwan upstream comes with OE enabled by default and is thus likely to break your existing connection to the Internet (i.e. your default route) as soon as pluto (the strongSwan keying daemon) is started. . Please choose whether you want to enable support for OE. If unsure, do not enable it.
Source: strongswan
Section: net
Priority: optional
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Standards-Version: 3.8.1
Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7)
Homepage: http://www.strongswan.org
Package: strongswan
Architecture: all
Depends: strongswan-ikev1, strongswan-ikev2
Suggests: network-manager-strongswan
Description: IPsec VPN solution metapackage
strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
strongSwan is one of the two remaining forks of the original FreeS/WAN
project and focuses on IKEv2 support, X.509 authentication and complete PKI
support. For a focus on Opportunistic Encryption (OE) and interoperability
with non-standard IPsec features, see Openswan.
.
This metapackage has dependencies to the IKEv1 daemon pluto and IKEv2 daemon
charon. It installs the required packages to run IKEv1 and IKEv2 connections
using a ipsec.conf/ipsec.secrets based configuration.
Package: libstrongswan
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
Description: strongSwan utility and crypto library
strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
libstrongswan is the underlying library of charon and other strongSwan
components. It is built in a modular way and is extendable through various
plugins.
Package: strongswan-starter
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2
Description: strongSwan daemon starter and configuration file parser
strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
The starter and the associated "ipsec" script control both pluto and charon
from the command line. It parses ipsec.conf and loads the configurations to
the daemons. While the IKEv2 daemon can use other configuration backends, the
IKEv1 daemon is limited to configurations from ipsec.conf.
Package: strongswan-ikev1
Architecture: any
Pre-Depends: debconf | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute
Suggests: curl
Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan
Replaces: openswan
Description: strongSwan IKEv1 keying daemon
strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
Pluto is a IPsec IKEv1 keying daemon. It was inherited from the FreeS/WAN
project, but provides improved X.509 certificate support and other features.
.
Pluto can run in parallel with charon, the newer IKEv2 daemon.
Package: strongswan-ikev2
Architecture: any
Pre-Depends: debconf | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute
Suggests: curl
Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan
Description: strongSwan IKEv2 keying daemon
strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
Charon is the IPsec IKEv2 keying daemon of the strongSwan project. It is
written from scratch using a fully multi-threaded design and a modular
architecture. Various plugins provide additional functionality.
.
This build of charon can run in parallel with pluto, the IKEv1 daemon.
Package: strongswan-nm
Architecture: any
Depends: ${shlibs:Depends}, strongswan-ikev2
Recommends: network-manager-strongswan
Description: strongSwan plugin to interact with NetworkManager
strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
This plugin provides an interface which allows NetworkManager to configure
and control the IKEv2 daemon directly through DBUS. It is designed to work
in conjunction with the network-manager-strongswan package, providing
a simple graphical frontend to configure IPsec based VPNs.
Attachment:
signature.asc
Description: Digital signature