This is the last call for comments for the review of debconf templates for strongswan. The reviewed templates will be sent on Sunday, May 10, 2009 to the package maintainer as a bug report and a mail will be sent to this list with "[BTS]" as a subject tag. -- Jonathan Wiltshire PGP/GPG: 0xDB800B52 / 4216 F01F DCA9 21AC F3D3 A903 CA6B EA3E DB80 0B52
Template: strongswan/start_level
Type: select
__Choices: earliest, after NFS, after PCMCIA
Default: earliest
_Description: When to start strongSwan:
StrongSwan starts during system startup so that it can protect filesystems
that are automatically mounted.
.
* earliest: if /usr is not mounted through NFS and you don't use a
PCMCIA network card, it is best to start strongSwan as soon as
possible, so that NFS mounts can be secured by IPSec;
* after NFS: recommended when /usr is mounted through NFS and no
PCMCIA network card is used;
* after PCMCIA: recommended if the IPSec connection uses a PCMCIA
network card or if it needs keys to be fetched from a locally running DNS
server with DNSSec support.
Template: strongswan/restart
Type: boolean
Default: true
_Description: Restart strongSwan now?:
Restarting strongSwan is recommended, because if there is a security fix, it
will not be applied until the daemon restarts. However, this might close
existing connections and then bring them back up.
.
If you don't restart strongSwan now, you should do so yourself at the first
opportunity.
Template: strongswan/ikev1
Type: boolean
Default: true
_Description: Start strongSwan's IKEv1 daemon?
The pluto daemon must be running to support version 1 of the Internet Key
Exchange protocol.
.
Start pluto with strongSwan?
Template: strongswan/ikev2
Type: boolean
Default: true
_Description: Start strongSwan's IKEv2 daemon?
The charon daemon must be running to support version 2 of the Internet Key
Exchange protocol.
.
Start charon with strongSwan?
Template: strongswan/create_rsa_key
Type: boolean
Default: true
_Description: Create an RSA public/private keypair for this host?
StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate
IPSec connections to other hosts. RSA authentication is generally considered
more secure and is easier to administer. You can use PSK and RSA authentication
simultaneously.
.
If you do not want to create a new public/private keypair, you can choose to
use an existing one in the next step.
Template: strongswan/existing_x509_certificate
Type: boolean
Default: false
_Description: Use an existing X.509 certificate for strongSwan?
The required information can automatically be extracted from an
existing X.509 certificate with a matching RSA private key. Both parts can
be in one file, if it is in PEM format.
You should choose this option if you have such an existing
certificate and key file and want to use it for authenticating IPSec
connections.
Template: strongswan/existing_x509_certificate_filename
Type: string
_Description: File name of your X.509 certificate in PEM format:
Please enter the full location of the file containing your X.509
certificate in PEM format.
Template: strongswan/existing_x509_key_filename
Type: string
_Description: File name of your existing X.509 private key in PEM format:
Please enter the full location of the file containing the private RSA key
matching your X.509 certificate in PEM format. This can be the same file
as the X.509 certificate.
Template: strongswan/rsa_key_length
Type: string
Default: 2048
_Description: RSA key length:
Please enter the length of RSA key you wish to generate. A value of less than
1024 bits is not considered secure. A value of more than 2048 bits will
probably affect performance.
Template: strongswan/x509_self_signed
Type: boolean
Default: true
_Description: Create a self-signed X.509 certificate?
Only self-signed X.509 certificates can be created
automatically, because otherwise a certificate authority is needed to sign
the certificate request.
.
If you accept this option, the certificate created can be used
immediately to connect to other IPSec hosts that support authentication via
an X.509 certificate. However, using strongSwan's PKI features requires a
a trust path to be created by having all X.509 certificates signed by a single
authority.
.
If you do not accept this option, only the RSA private key will be created,
along with a certificate request which you will need to have signed by a
certificate authority.
Template: strongswan/x509_country_code
Type: string
Default: AT
_Description: Country code for the X.509 certificate request:
Please enter the two-letter ISO3166 country code that should be
used in the certificate request.
.
This field is mandatory; otherwise a certificate cannot be generated.
Template: strongswan/x509_state_name
Type: string
Default:
_Description: State or province name for the X.509 certificate request:
Please enter the full name of the state or province to include in
the certificate request.
Template: strongswan/x509_locality_name
Type: string
Default:
_Description: Locality name for the X.509 certificate request:
Please enter the locality name (often a city)
that should be used in the certificate request.
Template: strongswan/x509_organization_name
Type: string
Default:
_Description: Organization name for the X.509 certificate request:
Please enter the organization name (often a company)
Template: strongswan/x509_organizational_unit
Type: string
Default:
_Description: Organizational unit for the X.509 certificate request:
Please enter the organizational unit name (often a department)
that should be used in the certificate request.
Template: strongswan/x509_common_name
Type: string
Default:
_Description: Common name for the X.509 certificate request:
Please enter the common name (such as the host name of this machine)
that should be used in the certificate request.
Template: strongswan/x509_email_address
Type: string
Default:
_Description: Email address for the X.509 certificate request:
Please enter the email address (for the individual or organization responsible)
that should be used in the certificate request.
Template: strongswan/enable-oe
Type: boolean
Default: false
_Description: Enable opportunistic encryption?
This version of strongSwan supports opportunistic encryption (OE), which stores
IPSec authentication information in
DNS records. Until this is widely deployed, activating it will
cause a significant delay for every new outgoing connection.
.
You should only enable opportunistic encryption if you are sure you want it.
It may break the Internet connection (default route) as the pluto daemon
starts.
.
Enable opportunistic encryption?
Source: strongswan
Section: net
Priority: optional
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Standards-Version: 3.8.1
Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7)
Homepage: http://www.strongswan.org
Package: strongswan
Architecture: all
Depends: strongswan-ikev1, strongswan-ikev2
Suggests: network-manager-strongswan
Description: IPsec VPN solution metapackage
The strongSwan VPN suite is based on the IPsec stack in standard Linux 2.6
kernels. It supports both the IKEv1 and IKEv2 protocols.
.
StrongSwan is one of the two remaining forks of the original FreeS/WAN
project and focuses on IKEv2 support, X.509 authentication and complete PKI
support. For a focus on Opportunistic Encryption (OE) and interoperability
with non-standard IPsec features, see Openswan.
.
This metapackage installs the packages required to maintain IKEv1 and IKEv2
connections via ipsec.conf or ipsec.secrets.
Package: libstrongswan
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
Description: strongSwan utility and crypto library
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
This package provides the underlying library of charon and other strongSwan
components. It is built in a modular way and is extendable through various
plugins.
Package: strongswan-starter
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2
Description: strongSwan daemon starter and configuration file parser
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
The starter and the associated "ipsec" script control both pluto and charon
from the command line. It parses ipsec.conf and loads the configurations to
the daemons. While the IKEv2 daemon can use other configuration backends, the
IKEv1 daemon is limited to configurations from ipsec.conf.
Package: strongswan-ikev1
Architecture: any
Pre-Depends: debconf | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute
Suggests: curl
Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan
Replaces: openswan
Description: strongSwan Internet Key Exchange (v1) daemon
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
Pluto is an IPsec IKEv1 daemon. It was inherited from the FreeS/WAN
project, but provides improved X.509 certificate support and other features.
.
Pluto can run in parallel with charon, the newer IKEv2 daemon.
Package: strongswan-ikev2
Architecture: any
Pre-Depends: debconf | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute
Suggests: curl
Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan
Description: strongSwan Internet Key Exchange (v2) daemon
StrongSwan is an IPsec- based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
Charon is an IPsec IKEv2 daemon. It is
written from scratch using a fully multi-threaded design and a modular
architecture. Various plugins provide additional functionality.
.
This build of charon can run in parallel with pluto, the IKEv1 daemon.
Package: strongswan-nm
Architecture: any
Depends: ${shlibs:Depends}, strongswan-ikev2
Recommends: network-manager-strongswan
Description: strongSwan plugin to interact with NetworkManager
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
This plugin provides an interface which allows NetworkManager to configure
and control the IKEv2 daemon directly through D-Bus. It is designed to work
in conjunction with the network-manager-strongswan package, providing
a simple graphical frontend to configure IPsec based VPNs.
Attachment:
signature.asc
Description: Digital signature