1 Template: openswan/autostart
4 _Description: Autostart Openswan at boot?
5 It is possible to have Openswan (ipsec) to start automatically at boot time
6 by adding its init script (/etc/init.d/ipsec) to the boot sequence. Most
7 people will prefer to configure the daemon before enabling autostart. To
8 enable it manually, simply run "update-rc.d ipsec defaults".
10 Template: openswan/restart
13 _Description: Restart Openswan now?
14 Restarting Openswan is recommended, since if there is a security fix, it
15 will not be applied until the daemon restarts. Most people expect the daemon
16 to restart, so this is generally a good idea. However, this might take down
17 existing connections and then bring them back up, so if you are using such
18 an Openswan tunnel to connect for this update, restarting is not recommended.
20 Template: openswan/install_x509_certificate
23 _Description: Use an X.509 certificate for this host?
24 An X.509 certificate for this host can be automatically created or imported.
25 It can be used to authenticate IPsec connections to other hosts
26 and is the preferred way of building up secure IPsec connections. The other
27 possibility would be to use shared secrets (passwords that are the same on
28 both sides of the tunnel) for authenticating a connection, but for a larger
29 number of connections, key based authentication is easier to administer and
32 Alternatively you can reject this option and later use the command
33 "dpkg-reconfigure openswan" to come back.
35 Template: openswan/how_to_get_x509_certificate
37 __Choices: create, import
39 _Description: Methods for using a X.509 certificate to authenticate this host:
40 It is possible to create a new X.509 certificate with user-defined settings
41 or to import an existing public and private key stored in PEM file(s) for
42 authenticating IPsec connections.
44 If you choose to create a new X.509 certificate you will first be asked
45 a number of questions which must be answered before the creation can start.
46 Please keep in mind that if you want the public key to get signed by
47 an existing Certificate Authority you should not select to create a
48 self-signed certificate and all the answers given must match exactly the
49 requirements of the CA, otherwise the certificate request may be rejected.
51 If you want to import an existing public and private key you will be
52 prompted for their filenames (which may be identical if both parts are stored
53 together in one file). Optionally you may also specify a filename where the
54 public key(s) of the Certificate Authority are kept, but this file cannot
55 be the same as the former ones. Please also be aware that the format for the
56 X.509 certificates has to be PEM and that the private key must not be encrypted
57 or the import procedure will fail.
59 Template: openswan/existing_x509_certificate_filename
61 _Description: File name of your PEM format X.509 certificate:
62 Please enter the location of the file containing your X.509 certificate in
65 Template: openswan/existing_x509_key_filename
67 _Description: File name of your PEM format X.509 private key:
68 Please enter the location of the file containing the private RSA key
69 matching your X.509 certificate in PEM format. This can be the same file
70 that contains the X.509 certificate.
72 Template: openswan/existing_x509_rootca_filename
74 _Description: File name of your PEM format X.509 RootCA:
75 Optionally you can now enter the location of the file containing the X.509
76 Certificate Authority root used to sign your certificate in PEM format. If you
77 do not have one or do not want to use it please leave the field empty. Please
78 note that it's not possible to store the RootCA in the same file as your X.509
79 certificate or private key.
81 Template: openswan/rsa_key_length
84 _Description: Length of RSA key to be created:
85 Please enter the required RSA key-length. Anything under 1024 bits
86 should be considered insecure; anything more than 4096 bits slows down
87 the authentication process and is not useful at present.
89 Template: openswan/x509_self_signed
92 _Description: Create a self-signed X.509 certificate?
93 Only self-signed X.509 certificates can be created
94 automatically, because otherwise a Certificate Authority is needed to sign
95 the certificate request. If you choose to create a self-signed certificate,
96 you can use it immediately to connect to other IPsec hosts that support
97 X.509 certificate for authentication of IPsec connections. However, using
98 Openswan's PKI features requires all certificates to be signed by a single
99 Certificate Authority to create a trust path.
101 If you do not choose to create a self-signed certificate, only the RSA
102 private key and the certificate request will be created, and you will
103 have to sign the certificate request with your Certificate Authority.
105 Template: openswan/x509_country_code
108 _Description: Country code for the X.509 certificate request:
109 Please enter the two-letter code for the country the server resides in
110 (such as "AT" for Austria).
112 OpenSSL will refuse to generate a certificate unless this is a valid
113 ISO-3166 country code; an empty field is allowed elsewhere in the X.509
114 certificate, but not here.
116 Template: openswan/x509_state_name
119 _Description: State or province name for the X.509 certificate request:
120 Please enter the full name of the state or province the server resides in
121 (such as "Upper Austria").
123 Template: openswan/x509_locality_name
126 _Description: Locality name for the X.509 certificate request:
127 Please enter the locality the server resides in (often a city, such
130 Template: openswan/x509_organization_name
133 _Description: Organization name for the X.509 certificate request:
134 Please enter the organization the server belongs to (such as "Debian").
136 Template: openswan/x509_organizational_unit
139 _Description: Organizational unit for the X.509 certificate request:
140 Please enter the organizational unit the server belongs to (such as
143 Template: openswan/x509_common_name
146 _Description: Common Name for the X.509 certificate request:
147 Please enter the Common Name for this host (such as
148 "gateway.example.org").
150 Template: openswan/x509_email_address
153 _Description: Email address for the X.509 certificate request:
154 Please enter the email address of the person or organization
155 responsible for the X.509 certificate.
157 Template: openswan/no-oe_include_file
159 _Description: Modification of /etc/ipsec.conf
160 Due to a change in upstream Openswan, opportunistic encryption is no longer
161 enabled by default. The no_oe.conf file that was shipped in earlier versions
162 to explicitly disable it can therefore no longer be included by ipsec.conf.
163 Any such include paragraph will now be automatically removed to ensure
164 that Openswan can start correctly.