Please find, for review, the debconf templates of strongswan. This review will last from Saturday, April 25, 2009 to Tuesday, May 05, 2009. Please send reviews as unified diffs (diff -u) against the original files. Comments about your proposed changes will be appreciated. Your review should be sent as an answer to this mail. When appropriate, I will send intermediate requests for review, with "[RFRn]" (n>=2) as a subject tag. When we will reach a consensus, I send a "Last Chance For Comments" mail with "[LCFC]" as a subject tag. Finally, the reviewed templates will be sent to the package maintainer as a bug report, and a mail will be sent to this list with "[BTS]" as a subject tag. Rationale: --- /home/jona/debian/rewrite/strongswan-starter/strongswan-starter.old/debian/strongswan-starter.templates 2009-04-22 11:31:20.000000000 +0100 +++ /home/jona/debian/rewrite/strongswan-starter/strongswan-starter/debian/strongswan-starter.templates 2009-04-25 21:47:06.000000000 +0100 @@ -3,79 +3,84 @@ _Choices: earliest, "after NFS", "after PCMCIA" Default: earliest _Description: When to start strongSwan: - There are three possibilities when strongSwan can start: before or - after the NFS services and after the PCMCIA services. The correct answer - depends on your specific setup. - . - If you do not have your /usr tree mounted via NFS (either you only mount - other, less vital trees via NFS or don't use NFS mounted trees at all) and - don't use a PCMCIA network card, then it's best to start strongSwan at - the earliest possible time, thus allowing the NFS mounts to be secured by - IPSec. In this case (or if you don't understand or care about this - issue), answer "earliest" to this question (the default). + strongSwan starts during system startup so that it can protect filesystems + that are automatically mounted. There are three sensible times for it to + do this: before NFS services start; after NFS services start; or after + PCMCIA services start. + . + If /usr is not mounted through NFS and you don't use a PCMCIA network card, + it is best to start strongSwan as soon as possible, so that NFS mounts can + be secured by IPSec. If this is true for your system, you should answer + "earliest". . - If you have your /usr tree mounted via NFS and don't use a PCMCIA network - card, then you will need to start strongSwan after NFS so that all + If /usr is mounted through NFS and you don't use a PCMCIA network + card, you need to start strongSwan after NFS services so that all necessary files are available. In this case, answer "after NFS" to this - question. Please note that the NFS mount of /usr can not be secured by - IPSec in this case. + question. /usr can not be secured by IPSec in this case. . - If you use a PCMCIA network card for your IPSec connections, then you only - have to choose to start it after the PCMCIA services. Answer "after - PCMCIA" in this case. This is also the correct answer if you want to fetch - keys from a locally running DNS server with DNSSec support. + If you use a PCMCIA network card for your IPSec connections and + need to start strongSwan after PCMCIA services, or you want to fetch + keys from a locally running DNS server with DNSSec support, you should answer + "after PCMCIA". + . + If you are not sure about this question, answer "earliest". You can change + this option later with dpkg-reconfigure strongswan-starter. + . + When should strongSwan be started? This question is huge and the user gets lost before being asked for a decison. Simplify the explanations as far as possible, lay them out the same, and re-iterate the question at the end. Template: strongswan/restart Type: boolean Default: true -_Description: Do you wish to restart strongSwan? - Restarting strongSwan is a good idea, since if there is a security fix, it - will not be fixed until the daemon restarts. Most people expect the daemon - to restart, so this is generally a good idea. However this might take down +_Description: Restart strongSwan: + Restarting strongSwan is a good idea, because if there is a security fix, it + will not be applied until the daemon restarts. However, this might close existing connections and then bring them back up. + . + Restart strongSwan now? Tidy the grammar and clarify the question as 'now'. Template: strongswan/ikev1 Type: boolean Default: true -_Description: Do you wish to support IKEv1? +_Description: Support IKEv1? strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support - when strongSwan is started? + IKEv1 and IKEv2. The pluto daemon must be running for IKEv1 support. Style improvement + . + Start pluto with strongSwan? Clarify the question. Template: strongswan/ikev2 Type: boolean Default: true -_Description: Do you wish to support IKEv2? +_Description: Support IKEv2? strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support - when strongSwan is started? + IKEv1 and IKEv2. The charon daemon must be running for IKEv2 support. + . + Start charon with strongSwan? Make this question the same style and layout as before. Template: strongswan/create_rsa_key Type: boolean Default: true -_Description: Do you want to create a RSA public/private keypair for this host? - This installer can automatically create a RSA public/private keypair - with an X.509 certificate for this host. This can be used to authenticate - IPSec connections to other hosts and is the preferred way for building up - secure IPSec connections. The other possibility would be to use pre-shared - secrets (PSKs, passwords that are the same on both sides of the tunnel) for - authenticating an connection, but for a larger number of connections RSA - authentication is easier to administer and more secure. Note that - having a keypair allows to use both X.509 and PSK authentication for IPsec - tunnels. +_Description: Create an RSA public/private keypair for this host? + strongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate + IPSec connections to other hosts. RSA authentication is generally considered + more secure and is easier to administer. You can use PSK and RSA authentication + simultaneously. . If you do not want to create a new public/private keypair, you can choose to use an existing one in the next step. + . + Create an RSA keypair for this host? This question doesn't need so much background, it makes the question very convoluted. Simplify it and as a direct question at the end. Template: strongswan/existing_x509_certificate Type: boolean Default: false -_Description: Do you have an existing X.509 certificate file for strongSwan? +_Description: Use an existing X.509 certificate for strongSwan? This installer can automatically extract the needed information from an existing X.509 certificate with a matching RSA private key. Both parts can be in one file, if it is in PEM format. If you have such an existing certificate and key file and want to use it for authenticating IPSec connections, then please answer yes. + . + Use an existing X.509 certificate? Clarify the question. Template: strongswan/existing_x509_certificate_filename Type: string @@ -88,21 +93,22 @@ _Description: File name of your X.509 private key in PEM format: Please enter the full location of the file containing the private RSA key matching your X.509 certificate in PEM format. This can be the same file - that contains the X.509 certificate. + as the X.509 certificate. Grammar improvement. Template: strongswan/rsa_key_length Type: string Default: 2048 -_Description: The length of the created RSA key (in bits): - Please enter the length of the created RSA key. It should not be less than - 1024 bits because this should be considered unsecure and you will probably - not need anything more than 2048 bits because it only slows the - authentication process down and is not needed at the moment. +_Description: RSA key length: + Please enter the length of RSA key you wish to generate. A value of less than + 1024 bits is not considered secure. A value of more than 2048 bits will + probably affect performance. The recommended value is 2048 bits. + . + RSA key length: Make the guidance easier to translate and for non-native speakers, and make a clear prompt. Template: strongswan/x509_self_signed Type: boolean Default: true -_Description: Do you want to create a self-signed X.509 certificate? +_Description: Create a self-signed X.509 certificate? This installer can only create self-signed X.509 certificates automatically, because otherwise a certificate authority is needed to sign the certificate request. If you want to create a self-signed certificate, @@ -113,9 +119,10 @@ create a trust path. . If you do not want to create a self-signed certificate, then this - installer will only create the RSA private key and the certificate request - and you will have to get the certificate request signed by your certificate - authority. + installer will only create the RSA private key and the certificate request, + which you will need to have signed by your certificate authority. Style and grammar changes. + . + Create a self-signed certificate? Make it clear that we're asking about self-signed certificates, not keypairs or anything else. Template: strongswan/x509_country_code Type: string @@ -124,9 +131,7 @@ Please enter the 2 letter country code for your country. This code will be placed in the certificate request. . - You really need to enter a valid country code here, because openssl will - refuse to generate certificates without one. An empty field is allowed for - any other field of the X.509 certificate, but not for this one. + This field is mandatory, otherwise a certificate cannot be generated. . Example: AT Style and simplification for the same reasons. @@ -134,7 +139,7 @@ Type: string Default: _Description: State or province name for the X.509 certificate request: - Please enter the full name of the state or province you live in. This name + Please enter the full name of your state or province. This name will be placed in the certificate request. . Example: Upper Austria @@ -143,7 +148,7 @@ Type: string Default: _Description: Locality name for the X.509 certificate request: - Please enter the locality (e.g. city) where you live. This name will be + Please enter your locality (e.g. city). This name will be placed in the certificate request. . Example: Vienna In each of these questions, the person creating the certificate may live in a different place to the organisation for whom they are creating it. 'Your locality' is more neutral in this case. @@ -152,9 +157,8 @@ Type: string Default: _Description: Organization name for the X.509 certificate request: - Please enter the organization (e.g. company) that the X.509 certificate - should be created for. This name will be placed in the certificate - request. + Please enter the organization (e.g. company) for whom the X.509 certificate + should be created. This name will be placed in the certificate request. . Example: Debian @@ -162,8 +166,8 @@ Type: string Default: _Description: Organizational unit for the X.509 certificate request: - Please enter the organizational unit (e.g. section) that the X.509 - certificate should be created for. This name will be placed in the + Please enter the organizational unit (e.g. section) for whom the X.509 + certificate should be created. This name will be placed in the certificate request. . Example: security group @@ -173,7 +177,7 @@ Default: _Description: Common name for the X.509 certificate request: Please enter the common name (e.g. the host name of this machine) for - which the X.509 certificate should be created for. This name will be placed + which the X.509 certificate should be created. This name will be placed in the certificate request. . Example: gateway.debian.org In each of these questions, a simple grammar change. @@ -189,14 +193,14 @@ Template: strongswan/enable-oe Type: boolean Default: false -_Description: Do you wish to enable opportunistic encryption in strongSwan? - strongSwan comes with support for opportunistic encryption (OE), which stores - IPSec authentication information (i.e. RSA public keys) in (preferably - secure) DNS records. Until this is widely deployed, activating it will - cause a significant slow-down for every new, outgoing connection. Since - version 2.0, strongSwan upstream comes with OE enabled by default and is thus - likely to break your existing connection to the Internet (i.e. your default - route) as soon as pluto (the strongSwan keying daemon) is started. +_Description: Enable opportunistic encryption? + This version of strongSwan supports opportunistic encryption (OE), which stores + IPSec authentication information in + DNS records. Until this is widely deployed, activating it will + cause a significant delay for every new outgoing connection. + . + You should only enable opportunistic encryption if you are sure you want it. + It may break your Internet connection (default route) as the pluto daemon + starts. . - Please choose whether you want to enable support for OE. If unsure, do not - enable it. + Enable opportunistic encryption? I'm still unsure about this question. It's very unwieldy, butI'm not sure my version is any less so. --- /home/jona/debian/rewrite/strongswan-starter/strongswan-starter.old/debian/control 2009-04-22 11:31:20.000000000 +0100 +++ /home/jona/debian/rewrite/strongswan-starter/strongswan-starter/debian/control 2009-04-23 12:37:26.000000000 +0100 In this file, the changes are just grammar, mostly hyphenations. @@ -11,7 +11,7 @@ Depends: strongswan-ikev1, strongswan-ikev2 Suggests: network-manager-strongswan Description: IPsec VPN solution metapackage - strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . @@ -22,13 +22,13 @@ . This metapackage has dependencies to the IKEv1 daemon pluto and IKEv2 daemon charon. It installs the required packages to run IKEv1 and IKEv2 connections - using a ipsec.conf/ipsec.secrets based configuration. + using a ipsec.conf/ipsec.secrets-based configuration. Package: libstrongswan Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, openssl Description: strongSwan utility and crypto library - strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . @@ -40,7 +40,7 @@ Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2 Description: strongSwan daemon starter and configuration file parser - strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . @@ -58,11 +58,11 @@ Conflicts: freeswan (<< 2.04-12), openswan Replaces: openswan Description: strongSwan IKEv1 keying daemon - strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . - Pluto is a IPsec IKEv1 keying daemon. It was inherited from the FreeS/WAN + Pluto is an IPsec IKEv1 keying daemon. It was inherited from the FreeS/WAN project, but provides improved X.509 certificate support and other features. . Pluto can run in parallel with charon, the newer IKEv2 daemon. @@ -75,11 +75,11 @@ Provides: ike-server Conflicts: freeswan (<< 2.04-12), openswan Description: strongSwan IKEv2 keying daemon - strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + strongSwan is an IPsec- based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . - Charon is the IPsec IKEv2 keying daemon of the strongSwan project. It is + Charon is an IPsec IKEv2 keying daemon. It is written from scratch using a fully multi-threaded design and a modular architecture. Various plugins provide additional functionality. . @@ -90,7 +90,7 @@ Depends: ${shlibs:Depends}, strongswan-ikev2 Recommends: network-manager-strongswan Description: strongSwan plugin to interact with NetworkManager - strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. .
Template: strongswan/start_level Type: select _Choices: earliest, "after NFS", "after PCMCIA" Default: earliest _Description: When to start strongSwan: strongSwan starts during system startup so that it can protect filesystems that are automatically mounted. There are three sensible times for it to do this: before NFS services start; after NFS services start; or after PCMCIA services start. . If /usr is not mounted through NFS and you don't use a PCMCIA network card, it is best to start strongSwan as soon as possible, so that NFS mounts can be secured by IPSec. If this is true for your system, you should answer "earliest". . If /usr is mounted through NFS and you don't use a PCMCIA network card, you need to start strongSwan after NFS services so that all necessary files are available. In this case, answer "after NFS" to this question. /usr can not be secured by IPSec in this case. . If you use a PCMCIA network card for your IPSec connections and need to start strongSwan after PCMCIA services, or you want to fetch keys from a locally running DNS server with DNSSec support, you should answer "after PCMCIA". . If you are not sure about this question, answer "earliest". You can change this option later with dpkg-reconfigure strongswan-starter. . When should strongSwan be started? Template: strongswan/restart Type: boolean Default: true _Description: Restart strongSwan: Restarting strongSwan is a good idea, because if there is a security fix, it will not be applied until the daemon restarts. However, this might close existing connections and then bring them back up. . Restart strongSwan now? Template: strongswan/ikev1 Type: boolean Default: true _Description: Support IKEv1? strongSwan supports both versions of the Internet Key Exchange protocol, IKEv1 and IKEv2. The pluto daemon must be running for IKEv1 support. . Start pluto with strongSwan? Template: strongswan/ikev2 Type: boolean Default: true _Description: Support IKEv2? strongSwan supports both versions of the Internet Key Exchange protocol, IKEv1 and IKEv2. The charon daemon must be running for IKEv2 support. . Start charon with strongSwan? Template: strongswan/create_rsa_key Type: boolean Default: true _Description: Create an RSA public/private keypair for this host? strongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate IPSec connections to other hosts. RSA authentication is generally considered more secure and is easier to administer. You can use PSK and RSA authentication simultaneously. . If you do not want to create a new public/private keypair, you can choose to use an existing one in the next step. . Create an RSA keypair for this host? Template: strongswan/existing_x509_certificate Type: boolean Default: false _Description: Use an existing X.509 certificate for strongSwan? This installer can automatically extract the needed information from an existing X.509 certificate with a matching RSA private key. Both parts can be in one file, if it is in PEM format. If you have such an existing certificate and key file and want to use it for authenticating IPSec connections, then please answer yes. . Use an existing X.509 certificate? Template: strongswan/existing_x509_certificate_filename Type: string _Description: File name of your X.509 certificate in PEM format: Please enter the full location of the file containing your X.509 certificate in PEM format. Template: strongswan/existing_x509_key_filename Type: string _Description: File name of your X.509 private key in PEM format: Please enter the full location of the file containing the private RSA key matching your X.509 certificate in PEM format. This can be the same file as the X.509 certificate. Template: strongswan/rsa_key_length Type: string Default: 2048 _Description: RSA key length: Please enter the length of RSA key you wish to generate. A value of less than 1024 bits is not considered secure. A value of more than 2048 bits will probably affect performance. The recommended value is 2048 bits. . RSA key length: Template: strongswan/x509_self_signed Type: boolean Default: true _Description: Create a self-signed X.509 certificate? This installer can only create self-signed X.509 certificates automatically, because otherwise a certificate authority is needed to sign the certificate request. If you want to create a self-signed certificate, you can use it immediately to connect to other IPSec hosts that support X.509 certificate for authentication of IPSec connections. However, if you want to use the new PKI features of strongSwan >= 1.91, you will need to have all X.509 certificates signed by a single certificate authority to create a trust path. . If you do not want to create a self-signed certificate, then this installer will only create the RSA private key and the certificate request, which you will need to have signed by your certificate authority. . Create a self-signed certificate? Template: strongswan/x509_country_code Type: string Default: AT _Description: Country code for the X.509 certificate request: Please enter the 2 letter country code for your country. This code will be placed in the certificate request. . This field is mandatory, otherwise a certificate cannot be generated. . Example: AT Template: strongswan/x509_state_name Type: string Default: _Description: State or province name for the X.509 certificate request: Please enter the full name of your state or province. This name will be placed in the certificate request. . Example: Upper Austria Template: strongswan/x509_locality_name Type: string Default: _Description: Locality name for the X.509 certificate request: Please enter your locality (e.g. city). This name will be placed in the certificate request. . Example: Vienna Template: strongswan/x509_organization_name Type: string Default: _Description: Organization name for the X.509 certificate request: Please enter the organization (e.g. company) for whom the X.509 certificate should be created. This name will be placed in the certificate request. . Example: Debian Template: strongswan/x509_organizational_unit Type: string Default: _Description: Organizational unit for the X.509 certificate request: Please enter the organizational unit (e.g. section) for whom the X.509 certificate should be created. This name will be placed in the certificate request. . Example: security group Template: strongswan/x509_common_name Type: string Default: _Description: Common name for the X.509 certificate request: Please enter the common name (e.g. the host name of this machine) for which the X.509 certificate should be created. This name will be placed in the certificate request. . Example: gateway.debian.org Template: strongswan/x509_email_address Type: string Default: _Description: Email address for the X.509 certificate request: Please enter the email address of the person or organization who is responsible for the X.509 certificate. This address will be placed in the certificate request. Template: strongswan/enable-oe Type: boolean Default: false _Description: Enable opportunistic encryption? This version of strongSwan supports opportunistic encryption (OE), which stores IPSec authentication information in DNS records. Until this is widely deployed, activating it will cause a significant delay for every new outgoing connection. . You should only enable opportunistic encryption if you are sure you want it. It may break your Internet connection (default route) as the pluto daemon starts. . Enable opportunistic encryption?
--- ../strongswan.old/debian/strongswan-starter.templates 1970-01-01 01:00:00.000000000 +0100 +++ debian/strongswan-starter.templates 2009-04-25 21:47:06.000000000 +0100 @@ -0,0 +1,206 @@ +Template: strongswan/start_level +Type: select +_Choices: earliest, "after NFS", "after PCMCIA" +Default: earliest +_Description: When to start strongSwan: + strongSwan starts during system startup so that it can protect filesystems + that are automatically mounted. There are three sensible times for it to + do this: before NFS services start; after NFS services start; or after + PCMCIA services start. + . + If /usr is not mounted through NFS and you don't use a PCMCIA network card, + it is best to start strongSwan as soon as possible, so that NFS mounts can + be secured by IPSec. If this is true for your system, you should answer + "earliest". + . + If /usr is mounted through NFS and you don't use a PCMCIA network + card, you need to start strongSwan after NFS services so that all + necessary files are available. In this case, answer "after NFS" to this + question. /usr can not be secured by IPSec in this case. + . + If you use a PCMCIA network card for your IPSec connections and + need to start strongSwan after PCMCIA services, or you want to fetch + keys from a locally running DNS server with DNSSec support, you should answer + "after PCMCIA". + . + If you are not sure about this question, answer "earliest". You can change + this option later with dpkg-reconfigure strongswan-starter. + . + When should strongSwan be started? + +Template: strongswan/restart +Type: boolean +Default: true +_Description: Restart strongSwan: + Restarting strongSwan is a good idea, because if there is a security fix, it + will not be applied until the daemon restarts. However, this might close + existing connections and then bring them back up. + . + Restart strongSwan now? + +Template: strongswan/ikev1 +Type: boolean +Default: true +_Description: Support IKEv1? + strongSwan supports both versions of the Internet Key Exchange protocol, + IKEv1 and IKEv2. The pluto daemon must be running for IKEv1 support. + . + Start pluto with strongSwan? + +Template: strongswan/ikev2 +Type: boolean +Default: true +_Description: Support IKEv2? + strongSwan supports both versions of the Internet Key Exchange protocol, + IKEv1 and IKEv2. The charon daemon must be running for IKEv2 support. + . + Start charon with strongSwan? + +Template: strongswan/create_rsa_key +Type: boolean +Default: true +_Description: Create an RSA public/private keypair for this host? + strongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate + IPSec connections to other hosts. RSA authentication is generally considered + more secure and is easier to administer. You can use PSK and RSA authentication + simultaneously. + . + If you do not want to create a new public/private keypair, you can choose to + use an existing one in the next step. + . + Create an RSA keypair for this host? + +Template: strongswan/existing_x509_certificate +Type: boolean +Default: false +_Description: Use an existing X.509 certificate for strongSwan? + This installer can automatically extract the needed information from an + existing X.509 certificate with a matching RSA private key. Both parts can + be in one file, if it is in PEM format. If you have such an existing + certificate and key file and want to use it for authenticating IPSec + connections, then please answer yes. + . + Use an existing X.509 certificate? + +Template: strongswan/existing_x509_certificate_filename +Type: string +_Description: File name of your X.509 certificate in PEM format: + Please enter the full location of the file containing your X.509 + certificate in PEM format. + +Template: strongswan/existing_x509_key_filename +Type: string +_Description: File name of your X.509 private key in PEM format: + Please enter the full location of the file containing the private RSA key + matching your X.509 certificate in PEM format. This can be the same file + as the X.509 certificate. + +Template: strongswan/rsa_key_length +Type: string +Default: 2048 +_Description: RSA key length: + Please enter the length of RSA key you wish to generate. A value of less than + 1024 bits is not considered secure. A value of more than 2048 bits will + probably affect performance. The recommended value is 2048 bits. + . + RSA key length: + +Template: strongswan/x509_self_signed +Type: boolean +Default: true +_Description: Create a self-signed X.509 certificate? + This installer can only create self-signed X.509 certificates + automatically, because otherwise a certificate authority is needed to sign + the certificate request. If you want to create a self-signed certificate, + you can use it immediately to connect to other IPSec hosts that support + X.509 certificate for authentication of IPSec connections. However, if you + want to use the new PKI features of strongSwan >= 1.91, you will need to + have all X.509 certificates signed by a single certificate authority to + create a trust path. + . + If you do not want to create a self-signed certificate, then this + installer will only create the RSA private key and the certificate request, + which you will need to have signed by your certificate authority. + . + Create a self-signed certificate? + +Template: strongswan/x509_country_code +Type: string +Default: AT +_Description: Country code for the X.509 certificate request: + Please enter the 2 letter country code for your country. This code will be + placed in the certificate request. + . + This field is mandatory, otherwise a certificate cannot be generated. + . + Example: AT + +Template: strongswan/x509_state_name +Type: string +Default: +_Description: State or province name for the X.509 certificate request: + Please enter the full name of your state or province. This name + will be placed in the certificate request. + . + Example: Upper Austria + +Template: strongswan/x509_locality_name +Type: string +Default: +_Description: Locality name for the X.509 certificate request: + Please enter your locality (e.g. city). This name will be + placed in the certificate request. + . + Example: Vienna + +Template: strongswan/x509_organization_name +Type: string +Default: +_Description: Organization name for the X.509 certificate request: + Please enter the organization (e.g. company) for whom the X.509 certificate + should be created. This name will be placed in the certificate request. + . + Example: Debian + +Template: strongswan/x509_organizational_unit +Type: string +Default: +_Description: Organizational unit for the X.509 certificate request: + Please enter the organizational unit (e.g. section) for whom the X.509 + certificate should be created. This name will be placed in the + certificate request. + . + Example: security group + +Template: strongswan/x509_common_name +Type: string +Default: +_Description: Common name for the X.509 certificate request: + Please enter the common name (e.g. the host name of this machine) for + which the X.509 certificate should be created. This name will be placed + in the certificate request. + . + Example: gateway.debian.org + +Template: strongswan/x509_email_address +Type: string +Default: +_Description: Email address for the X.509 certificate request: + Please enter the email address of the person or organization who is + responsible for the X.509 certificate. This address will be placed in the + certificate request. + +Template: strongswan/enable-oe +Type: boolean +Default: false +_Description: Enable opportunistic encryption? + This version of strongSwan supports opportunistic encryption (OE), which stores + IPSec authentication information in + DNS records. Until this is widely deployed, activating it will + cause a significant delay for every new outgoing connection. + . + You should only enable opportunistic encryption if you are sure you want it. + It may break your Internet connection (default route) as the pluto daemon + starts. + . + Enable opportunistic encryption? --- ../strongswan.old/debian/control 1970-01-01 01:00:00.000000000 +0100 +++ debian/control 2009-04-23 12:37:26.000000000 +0100 @@ -0,0 +1,100 @@ +Source: strongswan +Section: net +Priority: optional +Maintainer: Rene Mayrhofer <rmayr@debian.org> +Standards-Version: 3.8.1 +Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7) +Homepage: http://www.strongswan.org + +Package: strongswan +Architecture: all +Depends: strongswan-ikev1, strongswan-ikev2 +Suggests: network-manager-strongswan +Description: IPsec VPN solution metapackage + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + strongSwan is one of the two remaining forks of the original FreeS/WAN + project and focuses on IKEv2 support, X.509 authentication and complete PKI + support. For a focus on Opportunistic Encryption (OE) and interoperability + with non-standard IPsec features, see Openswan. + . + This metapackage has dependencies to the IKEv1 daemon pluto and IKEv2 daemon + charon. It installs the required packages to run IKEv1 and IKEv2 connections + using a ipsec.conf/ipsec.secrets-based configuration. + +Package: libstrongswan +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, openssl +Description: strongSwan utility and crypto library + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + libstrongswan is the underlying library of charon and other strongSwan + components. It is built in a modular way and is extendable through various + plugins. + +Package: strongswan-starter +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2 +Description: strongSwan daemon starter and configuration file parser + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + The starter and the associated "ipsec" script control both pluto and charon + from the command line. It parses ipsec.conf and loads the configurations to + the daemons. While the IKEv2 daemon can use other configuration backends, the + IKEv1 daemon is limited to configurations from ipsec.conf. + +Package: strongswan-ikev1 +Architecture: any +Pre-Depends: debconf | debconf-2.0 +Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute +Suggests: curl +Provides: ike-server +Conflicts: freeswan (<< 2.04-12), openswan +Replaces: openswan +Description: strongSwan IKEv1 keying daemon + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + Pluto is an IPsec IKEv1 keying daemon. It was inherited from the FreeS/WAN + project, but provides improved X.509 certificate support and other features. + . + Pluto can run in parallel with charon, the newer IKEv2 daemon. + +Package: strongswan-ikev2 +Architecture: any +Pre-Depends: debconf | debconf-2.0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute +Suggests: curl +Provides: ike-server +Conflicts: freeswan (<< 2.04-12), openswan +Description: strongSwan IKEv2 keying daemon + strongSwan is an IPsec- based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + Charon is an IPsec IKEv2 keying daemon. It is + written from scratch using a fully multi-threaded design and a modular + architecture. Various plugins provide additional functionality. + . + This build of charon can run in parallel with pluto, the IKEv1 daemon. + +Package: strongswan-nm +Architecture: any +Depends: ${shlibs:Depends}, strongswan-ikev2 +Recommends: network-manager-strongswan +Description: strongSwan plugin to interact with NetworkManager + strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + This plugin provides an interface which allows NetworkManager to configure + and control the IKEv2 daemon directly through DBUS. It is designed to work + in conjunction with the network-manager-strongswan package, providing + a simple graphical frontend to configure IPsec based VPNs.
Source: strongswan Section: net Priority: optional Maintainer: Rene Mayrhofer <rmayr@debian.org> Standards-Version: 3.8.1 Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7) Homepage: http://www.strongswan.org Package: strongswan Architecture: all Depends: strongswan-ikev1, strongswan-ikev2 Suggests: network-manager-strongswan Description: IPsec VPN solution metapackage strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . strongSwan is one of the two remaining forks of the original FreeS/WAN project and focuses on IKEv2 support, X.509 authentication and complete PKI support. For a focus on Opportunistic Encryption (OE) and interoperability with non-standard IPsec features, see Openswan. . This metapackage has dependencies to the IKEv1 daemon pluto and IKEv2 daemon charon. It installs the required packages to run IKEv1 and IKEv2 connections using a ipsec.conf/ipsec.secrets-based configuration. Package: libstrongswan Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, openssl Description: strongSwan utility and crypto library strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . libstrongswan is the underlying library of charon and other strongSwan components. It is built in a modular way and is extendable through various plugins. Package: strongswan-starter Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2 Description: strongSwan daemon starter and configuration file parser strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . The starter and the associated "ipsec" script control both pluto and charon from the command line. It parses ipsec.conf and loads the configurations to the daemons. While the IKEv2 daemon can use other configuration backends, the IKEv1 daemon is limited to configurations from ipsec.conf. Package: strongswan-ikev1 Architecture: any Pre-Depends: debconf | debconf-2.0 Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute Suggests: curl Provides: ike-server Conflicts: freeswan (<< 2.04-12), openswan Replaces: openswan Description: strongSwan IKEv1 keying daemon strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . Pluto is an IPsec IKEv1 keying daemon. It was inherited from the FreeS/WAN project, but provides improved X.509 certificate support and other features. . Pluto can run in parallel with charon, the newer IKEv2 daemon. Package: strongswan-ikev2 Architecture: any Pre-Depends: debconf | debconf-2.0 Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute Suggests: curl Provides: ike-server Conflicts: freeswan (<< 2.04-12), openswan Description: strongSwan IKEv2 keying daemon strongSwan is an IPsec- based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . Charon is an IPsec IKEv2 keying daemon. It is written from scratch using a fully multi-threaded design and a modular architecture. Various plugins provide additional functionality. . This build of charon can run in parallel with pluto, the IKEv1 daemon. Package: strongswan-nm Architecture: any Depends: ${shlibs:Depends}, strongswan-ikev2 Recommends: network-manager-strongswan Description: strongSwan plugin to interact with NetworkManager strongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the native IPsec stack and runs on any recent 2.6 kernel (no patching required). It supports both IKEv1 and the newer IKEv2 protocols. . This plugin provides an interface which allows NetworkManager to configure and control the IKEv2 daemon directly through DBUS. It is designed to work in conjunction with the network-manager-strongswan package, providing a simple graphical frontend to configure IPsec based VPNs.
Attachment:
signature.asc
Description: Digital signature