This is the last call for comments for the review of debconf templates for strongswan. The reviewed templates will be sent on Sunday, May 10, 2009 to the package maintainer as a bug report and a mail will be sent to this list with "[BTS]" as a subject tag. -- Jonathan Wiltshire PGP/GPG: 0xDB800B52 / 4216 F01F DCA9 21AC F3D3 A903 CA6B EA3E DB80 0B52
Template: strongswan/start_level Type: select __Choices: earliest, after NFS, after PCMCIA Default: earliest _Description: When to start strongSwan: StrongSwan starts during system startup so that it can protect filesystems that are automatically mounted. . * earliest: if /usr is not mounted through NFS and you don't use a PCMCIA network card, it is best to start strongSwan as soon as possible, so that NFS mounts can be secured by IPSec; * after NFS: recommended when /usr is mounted through NFS and no PCMCIA network card is used; * after PCMCIA: recommended if the IPSec connection uses a PCMCIA network card or if it needs keys to be fetched from a locally running DNS server with DNSSec support. Template: strongswan/restart Type: boolean Default: true _Description: Restart strongSwan now?: Restarting strongSwan is recommended, because if there is a security fix, it will not be applied until the daemon restarts. However, this might close existing connections and then bring them back up. . If you don't restart strongSwan now, you should do so yourself at the first opportunity. Template: strongswan/ikev1 Type: boolean Default: true _Description: Start strongSwan's IKEv1 daemon? The pluto daemon must be running to support version 1 of the Internet Key Exchange protocol. . Start pluto with strongSwan? Template: strongswan/ikev2 Type: boolean Default: true _Description: Start strongSwan's IKEv2 daemon? The charon daemon must be running to support version 2 of the Internet Key Exchange protocol. . Start charon with strongSwan? Template: strongswan/create_rsa_key Type: boolean Default: true _Description: Create an RSA public/private keypair for this host? StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate IPSec connections to other hosts. RSA authentication is generally considered more secure and is easier to administer. You can use PSK and RSA authentication simultaneously. . If you do not want to create a new public/private keypair, you can choose to use an existing one in the next step. Template: strongswan/existing_x509_certificate Type: boolean Default: false _Description: Use an existing X.509 certificate for strongSwan? The required information can automatically be extracted from an existing X.509 certificate with a matching RSA private key. Both parts can be in one file, if it is in PEM format. You should choose this option if you have such an existing certificate and key file and want to use it for authenticating IPSec connections. Template: strongswan/existing_x509_certificate_filename Type: string _Description: File name of your X.509 certificate in PEM format: Please enter the full location of the file containing your X.509 certificate in PEM format. Template: strongswan/existing_x509_key_filename Type: string _Description: File name of your existing X.509 private key in PEM format: Please enter the full location of the file containing the private RSA key matching your X.509 certificate in PEM format. This can be the same file as the X.509 certificate. Template: strongswan/rsa_key_length Type: string Default: 2048 _Description: RSA key length: Please enter the length of RSA key you wish to generate. A value of less than 1024 bits is not considered secure. A value of more than 2048 bits will probably affect performance. Template: strongswan/x509_self_signed Type: boolean Default: true _Description: Create a self-signed X.509 certificate? Only self-signed X.509 certificates can be created automatically, because otherwise a certificate authority is needed to sign the certificate request. . If you accept this option, the certificate created can be used immediately to connect to other IPSec hosts that support authentication via an X.509 certificate. However, using strongSwan's PKI features requires a a trust path to be created by having all X.509 certificates signed by a single authority. . If you do not accept this option, only the RSA private key will be created, along with a certificate request which you will need to have signed by a certificate authority. Template: strongswan/x509_country_code Type: string Default: AT _Description: Country code for the X.509 certificate request: Please enter the two-letter ISO3166 country code that should be used in the certificate request. . This field is mandatory; otherwise a certificate cannot be generated. Template: strongswan/x509_state_name Type: string Default: _Description: State or province name for the X.509 certificate request: Please enter the full name of the state or province to include in the certificate request. Template: strongswan/x509_locality_name Type: string Default: _Description: Locality name for the X.509 certificate request: Please enter the locality name (often a city) that should be used in the certificate request. Template: strongswan/x509_organization_name Type: string Default: _Description: Organization name for the X.509 certificate request: Please enter the organization name (often a company) Template: strongswan/x509_organizational_unit Type: string Default: _Description: Organizational unit for the X.509 certificate request: Please enter the organizational unit name (often a department) that should be used in the certificate request. Template: strongswan/x509_common_name Type: string Default: _Description: Common name for the X.509 certificate request: Please enter the common name (such as the host name of this machine) that should be used in the certificate request. Template: strongswan/x509_email_address Type: string Default: _Description: Email address for the X.509 certificate request: Please enter the email address (for the individual or organization responsible) that should be used in the certificate request. Template: strongswan/enable-oe Type: boolean Default: false _Description: Enable opportunistic encryption? This version of strongSwan supports opportunistic encryption (OE), which stores IPSec authentication information in DNS records. Until this is widely deployed, activating it will cause a significant delay for every new outgoing connection. . You should only enable opportunistic encryption if you are sure you want it. It may break the Internet connection (default route) as the pluto daemon starts. . Enable opportunistic encryption?
Source: strongswan Section: net Priority: optional Maintainer: Rene Mayrhofer <rmayr@debian.org> Standards-Version: 3.8.1 Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7) Homepage: http://www.strongswan.org Package: strongswan Architecture: all Depends: strongswan-ikev1, strongswan-ikev2 Suggests: network-manager-strongswan Description: IPsec VPN solution metapackage The strongSwan VPN suite is based on the IPsec stack in standard Linux 2.6 kernels. It supports both the IKEv1 and IKEv2 protocols. . StrongSwan is one of the two remaining forks of the original FreeS/WAN project and focuses on IKEv2 support, X.509 authentication and complete PKI support. For a focus on Opportunistic Encryption (OE) and interoperability with non-standard IPsec features, see Openswan. . This metapackage installs the packages required to maintain IKEv1 and IKEv2 connections via ipsec.conf or ipsec.secrets. Package: libstrongswan Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, openssl Description: strongSwan utility and crypto library StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . This package provides the underlying library of charon and other strongSwan components. It is built in a modular way and is extendable through various plugins. Package: strongswan-starter Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2 Description: strongSwan daemon starter and configuration file parser StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . The starter and the associated "ipsec" script control both pluto and charon from the command line. It parses ipsec.conf and loads the configurations to the daemons. While the IKEv2 daemon can use other configuration backends, the IKEv1 daemon is limited to configurations from ipsec.conf. Package: strongswan-ikev1 Architecture: any Pre-Depends: debconf | debconf-2.0 Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute Suggests: curl Provides: ike-server Conflicts: freeswan (<< 2.04-12), openswan Replaces: openswan Description: strongSwan Internet Key Exchange (v1) daemon StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . Pluto is an IPsec IKEv1 daemon. It was inherited from the FreeS/WAN project, but provides improved X.509 certificate support and other features. . Pluto can run in parallel with charon, the newer IKEv2 daemon. Package: strongswan-ikev2 Architecture: any Pre-Depends: debconf | debconf-2.0 Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute Suggests: curl Provides: ike-server Conflicts: freeswan (<< 2.04-12), openswan Description: strongSwan Internet Key Exchange (v2) daemon StrongSwan is an IPsec- based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . Charon is an IPsec IKEv2 daemon. It is written from scratch using a fully multi-threaded design and a modular architecture. Various plugins provide additional functionality. . This build of charon can run in parallel with pluto, the IKEv1 daemon. Package: strongswan-nm Architecture: any Depends: ${shlibs:Depends}, strongswan-ikev2 Recommends: network-manager-strongswan Description: strongSwan plugin to interact with NetworkManager StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . This plugin provides an interface which allows NetworkManager to configure and control the IKEv2 daemon directly through D-Bus. It is designed to work in conjunction with the network-manager-strongswan package, providing a simple graphical frontend to configure IPsec based VPNs.
Attachment:
signature.asc
Description: Digital signature