On Monday 12 April 2010 12:11:40 Justin B Rye wrote: > Harald Jenny wrote: > > please find attached the template and control file of the > > openswan-package. > > In the hope of saving people some effort I'll mention before I start > looking at openswan that this time last year we did strongswan: > http://lists.debian.org/debian-l10n-english/2009/04/msg00055.html I intend to sync openswan and strongswan with all options that make sense in both of them. Attached please find the control and templates files for the current strongswan package (not yet uploaded, as I am restructuring slightly). If possible, please consider both packages concurrently, with the aim to have the same debconf questions (replacing openswan with strongswan). best regards, Rene
# These templates have been reviewed by the debian-l10n-english # team # # If modifications/additions/rewording are needed, please ask # debian-l10n-english@lists.debian.org for advice. # # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. Template: strongswan/runlevel_changes Type: note _Description: Old runlevel management superseded Previous versions of the strongSwan package allowed the user to choose between three different Start/Stop-Levels. Due to changes in the standard system startup procedure, this is no longer necessary and useful. For all new installations as well as old ones running in any of the predefined modes, sane default levels set will now be set. If you are upgrading from a previous version and changed your strongSwan startup parameters, then please take a look at NEWS.Debian for instructions on how to modify your setup accordingly. Template: strongswan/restart Type: boolean Default: true _Description: Do you wish to restart strongSwan? Restarting strongSwan is a good idea, since if there is a security fix, it will not be fixed until the daemon restarts. Most people expect the daemon to restart, so this is generally a good idea. However, this might take down existing connections and then bring them back up (including the connection currently used for this update, so it is recommended not to restart if you are using any of the tunnel for administration). Template: strongswan/ikev1 Type: boolean Default: true _Description: Start strongSwan's IKEv1 daemon? The pluto daemon must be running to support version 1 of the Internet Key Exchange protocol. Template: strongswan/ikev2 Type: boolean Default: true _Description: Start strongSwan's IKEv2 daemon? The charon daemon must be running to support version 2 of the Internet Key Exchange protocol. Template: strongswan/install_x509_certificate Type: boolean Default: false _Description: Do you want to use a X509 certificate for this host? This installer can automatically create or import a X509 certificate for this host. It can be used to authenticate IPsec connections to other hosts and is the preferred way for building up secure IPsec connections. The other possibility would be to use shared secrets (passwords that are the same on both sides of the tunnel) for authenticating an connection, but for a larger number of connections, key based authentication is easier to administer and more secure. . If you do not want to this now you can answer "No" and later use the command "dpkg-reconfigure openswan" to come back. Template: strongswan/how_to_get_x509_certificate Type: select __Choices: create, import Default: create _Description: Methods for using a X509 certificate to authenticate this host: It is possible to create a new X509 certificate with user-defined settings or to import an existing public and private key stored in PEM file(s) for authenticating IPsec connections. . If you choose to create a new X509 certificate you will first be presented a number of questions which must be answered before the creation can start. Please keep in mind that if you want the public key to get signed by an existing certification authority you should not select to create a self-signed certificate and all the answers given must match exactly the requirements of the CA, otherwise the certificate request may be rejected. . In case you want to import an existing public and private key you will be prompted for their filenames (may be identical if both parts are stored together in one file). Optionally you may also specify a filename where the public key(s) of the certification authority are kept, but this file cannot be the same as the former ones. Please be also aware that the format for the X509 certificates has to be PEM and that the private key must not be encrypted or the import procedure will fail. Template: strongswan/existing_x509_certificate_filename Type: string _Description: Please enter the location of your X509 certificate in PEM format: Please enter the location of the file containing your X509 certificate in PEM format. Template: strongswan/existing_x509_key_filename Type: string _Description: Please enter the location of your X509 private key in PEM format: Please enter the location of the file containing the private RSA key matching your X509 certificate in PEM format. This can be the same file that contains the X509 certificate. Template: strongswan/existing_x509_rootca_filename Type: string _Description: You may now enter the location of your X509 RootCA in PEM format: Optionally you can now enter the location of the file containing the X509 certificate authority root used to sign your certificate in PEM format. If you do not have one or do not want to use it please leave the field empty. Please note that it's not possible to store the RootCA in the same file as your X509 certificate or private key. Template: strongswan/rsa_key_length Type: string Default: 2048 _Description: Please enter which length the created RSA key should have: Please enter the length of the created RSA key. it should not be less than 1024 bits because this should be considered unsecure and you will probably not need anything more than 4096 bits because it only slows the authentication process down and is not needed at the moment. Template: strongswan/x509_self_signed Type: boolean Default: true _Description: Do you want to create a self-signed X509 certificate? This installer can only create self-signed X509 certificates automatically, because otherwise a certificate authority is needed to sign the certificate request. If you want to create a self-signed certificate, you can use it immediately to connect to other IPsec hosts that support X509 certificate for authentication of IPsec connections. However, if you want to use the new PKI features of strongSwan >= 1.91, you will need to have all X509 certificates signed by a single certificate authority to create a trust path. . If you do not want to create a self-signed certificate, then this installer will only create the RSA private key and the certificate request and you will have to sign the certificate request with your certificate authority. Template: strongswan/x509_country_code Type: string Default: AT _Description: Please enter the country code for the X509 certificate request: Please enter the 2 letter country code for your country. This code will be placed in the certificate request. . You really need to enter a valid country code here, because openssl will refuse to generate certificates without one. An empty field is allowed for any other field of the X.509 certificate, but not for this one. . Example: AT Template: strongswan/x509_state_name Type: string Default: _Description: Please enter the state or province name for the X509 certificate request: Please enter the full name of the state or province you live in. This name will be placed in the certificate request. . Example: Upper Austria Template: strongswan/x509_locality_name Type: string Default: _Description: Please enter the locality name for the X509 certificate request: Please enter the locality (e.g. city) where you live. This name will be placed in the certificate request. . Example: Vienna Template: strongswan/x509_organization_name Type: string Default: _Description: Please enter the organization name for the X509 certificate request: Please enter the organization (e.g. company) that the X509 certificate should be created for. This name will be placed in the certificate request. . Example: Debian Template: strongswan/x509_organizational_unit Type: string Default: _Description: Please enter the organizational unit for the X509 certificate request: Please enter the organizational unit (e.g. section) that the X509 certificate should be created for. This name will be placed in the certificate request. . Example: security group Template: strongswan/x509_common_name Type: string Default: _Description: Please enter the common name for the X509 certificate request: Please enter the common name (e.g. the host name of this machine) for which the X509 certificate should be created for. This name will be placed in the certificate request. . Example: gateway.debian.org Template: strongswan/x509_email_address Type: string Default: _Description: Please enter the email address for the X509 certificate request: Please enter the email address of the person or organization who is responsible for the X509 certificate, This address will be placed in the certificate request. Template: strongswan/enable-oe Type: boolean Default: false _Description: Enable opportunistic encryption? This version of strongSwan supports opportunistic encryption (OE), which stores IPSec authentication information in DNS records. Until this is widely deployed, activating it will cause a significant delay for every new outgoing connection. . You should only enable opportunistic encryption if you are sure you want it. It may break the Internet connection (default route) as the pluto daemon starts.
Source: strongswan
Section: net
Priority: optional
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Standards-Version: 3.8.4
Vcs-Browser: http://wiki.strongswan.org/repositories/show/strongswan
Vcs-Git: http://wiki.strongswan.org/repositories/show/strongswan
Build-Depends: debhelper (>= 7.1), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7), gperf
Homepage: http://www.strongswan.org
Package: strongswan
Architecture: all
Depends: strongswan-ikev1, strongswan-ikev2
Suggests: network-manager-strongswan
Description: IPsec VPN solution metapackage
The strongSwan VPN suite is based on the IPsec stack in standard Linux 2.6
kernels. It supports both the IKEv1 and IKEv2 protocols.
.
StrongSwan is one of the two remaining forks of the original FreeS/WAN
project and focuses on IKEv2 support, X.509 authentication and complete PKI
support. For a focus on Opportunistic Encryption (OE) and interoperability
with non-standard IPsec features, see Openswan.
.
This metapackage installs the packages required to maintain IKEv1 and IKEv2
connections via ipsec.conf or ipsec.secrets.
Package: libstrongswan
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
Conflicts: strongswan (< 4.2.12-1)
Description: strongSwan utility and crypto library
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
This package provides the underlying library of charon and other strongSwan
components. It is built in a modular way and is extendable through various
plugins.
Package: strongswan-dbg
Architecture: any
Section: debug
Priority: extra
Depends: ${misc:Depends}, strongswan
Description: strongSwan library and binaries - debugging symbols
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
This package provides the symbols needed for debugging of strongswan.
Package: strongswan-starter
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2
Conflicts: strongswan (< 4.2.12-1)
Description: strongSwan daemon starter and configuration file parser
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
The starter and the associated "ipsec" script control both pluto and charon
from the command line. It parses ipsec.conf and loads the configurations to
the daemons. While the IKEv2 daemon can use other configuration backends, the
IKEv1 daemon is limited to configurations from ipsec.conf.
Package: strongswan-ikev1
Architecture: any
Pre-Depends: debconf | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute
Suggests: curl
Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan, strongswan (< 4.2.12-1)
Replaces: openswan
Description: strongSwan Internet Key Exchange (v1) daemon
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
Pluto is an IPsec IKEv1 daemon. It was inherited from the FreeS/WAN
project, but provides improved X.509 certificate support and other features.
.
Pluto can run in parallel with charon, the newer IKEv2 daemon.
Package: strongswan-ikev2
Architecture: any
Pre-Depends: debconf | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute
Suggests: curl
Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan, strongswan (< 4.2.12-1)
Description: strongSwan Internet Key Exchange (v2) daemon
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
Charon is an IPsec IKEv2 daemon. It is
written from scratch using a fully multi-threaded design and a modular
architecture. Various plugins provide additional functionality.
.
This build of charon can run in parallel with pluto, the IKEv1 daemon.
Package: strongswan-nm
Architecture: any
Depends: ${shlibs:Depends}, strongswan-ikev2
Recommends: network-manager-strongswan
Description: strongSwan plugin to interact with NetworkManager
StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the
native IPsec stack and runs on any recent 2.6 kernel (no patching required).
It supports both IKEv1 and the newer IKEv2 protocols.
.
This plugin provides an interface which allows NetworkManager to configure
and control the IKEv2 daemon directly through D-Bus. It is designed to work
in conjunction with the network-manager-strongswan package, providing
a simple graphical frontend to configure IPsec based VPNs.
Attachment:
signature.asc
Description: This is a digitally signed message part.