Template: libreswan/autostart Type: boolean Default: false _Description: Autostart Libreswan at boot? It is possible to have Libreswan (ipsec) to start automatically at boot time by adding its init script (/etc/init.d/ipsec) to the boot sequence. Most people will prefer to configure the daemon before enabling autostart. To enable it manually, simply run "update-rc.d ipsec defaults". Template: libreswan/restart Type: boolean Default: true _Description: Restart Libreswan now? Restarting Libreswan is recommended, since if there is a security fix, it will not be applied until the daemon restarts. Most people expect the daemon to restart, so this is generally a good idea. However, this might take down existing connections and then bring them back up, so if you are using such an Libreswan tunnel to connect for this update, restarting is not recommended. Template: libreswan/install_x509_certificate Type: boolean Default: false _Description: Use an X.509 certificate for this host? An X.509 certificate for this host can be automatically created or imported. It can be used to authenticate IPsec connections to other hosts and is the preferred way of building up secure IPsec connections. The other possibility would be to use shared secrets (passwords that are the same on both sides of the tunnel) for authenticating a connection, but for a larger number of connections, key based authentication is easier to administer and more secure. . Alternatively you can reject this option and later use the command "dpkg-reconfigure libreswan" to come back. Template: libreswan/how_to_get_x509_certificate Type: select __Choices: create, import Default: create _Description: Methods for using a X.509 certificate to authenticate this host: It is possible to create a new X.509 certificate with user-defined settings or to import an existing public and private key stored in PEM file(s) for authenticating IPsec connections. . If you choose to create a new X.509 certificate you will first be asked a number of questions which must be answered before the creation can start. Please keep in mind that if you want the public key to get signed by an existing Certificate Authority you should not select to create a self-signed certificate and all the answers given must match exactly the requirements of the CA, otherwise the certificate request may be rejected. . If you want to import an existing public and private key you will be prompted for their filenames (which may be identical if both parts are stored together in one file). Optionally you may also specify a filename where the public key(s) of the Certificate Authority are kept, but this file cannot be the same as the former ones. Please also be aware that the format for the X.509 certificates has to be PEM and that the private key must not be encrypted or the import procedure will fail. Template: libreswan/existing_x509_certificate_filename Type: string _Description: File name of your PEM format X.509 certificate: Please enter the location of the file containing your X.509 certificate in PEM format. Template: libreswan/existing_x509_key_filename Type: string _Description: File name of your PEM format X.509 private key: Please enter the location of the file containing the private RSA key matching your X.509 certificate in PEM format. This can be the same file that contains the X.509 certificate. Template: libreswan/existing_x509_rootca_filename Type: string _Description: File name of your PEM format X.509 RootCA: Optionally you can now enter the location of the file containing the X.509 Certificate Authority root used to sign your certificate in PEM format. If you do not have one or do not want to use it please leave the field empty. Please note that it's not possible to store the RootCA in the same file as your X.509 certificate or private key. Template: libreswan/rsa_key_length Type: string Default: 2048 _Description: Length of RSA key to be created: Please enter the required RSA key-length. Anything under 1024 bits should be considered insecure; anything more than 4096 bits slows down the authentication process and is not useful at present. Template: libreswan/x509_self_signed Type: boolean Default: true _Description: Create a self-signed X.509 certificate? Only self-signed X.509 certificates can be created automatically, because otherwise a Certificate Authority is needed to sign the certificate request. If you choose to create a self-signed certificate, you can use it immediately to connect to other IPsec hosts that support X.509 certificate for authentication of IPsec connections. However, using Libreswan's PKI features requires all certificates to be signed by a single Certificate Authority to create a trust path. . If you do not choose to create a self-signed certificate, only the RSA private key and the certificate request will be created, and you will have to sign the certificate request with your Certificate Authority. Template: libreswan/x509_country_code Type: string Default: AT _Description: Country code for the X.509 certificate request: Please enter the two-letter code for the country the server resides in (such as "AT" for Austria). . OpenSSL will refuse to generate a certificate unless this is a valid ISO-3166 country code; an empty field is allowed elsewhere in the X.509 certificate, but not here. Template: libreswan/x509_state_name Type: string Default: _Description: State or province name for the X.509 certificate request: Please enter the full name of the state or province the server resides in (such as "Upper Austria"). Template: libreswan/x509_locality_name Type: string Default: _Description: Locality name for the X.509 certificate request: Please enter the locality the server resides in (often a city, such as "Vienna"). Template: libreswan/x509_organization_name Type: string Default: _Description: Organization name for the X.509 certificate request: Please enter the organization the server belongs to (such as "Debian"). Template: libreswan/x509_organizational_unit Type: string Default: _Description: Organizational unit for the X.509 certificate request: Please enter the organizational unit the server belongs to (such as "security group"). Template: libreswan/x509_common_name Type: string Default: _Description: Common Name for the X.509 certificate request: Please enter the Common Name for this host (such as "gateway.example.org"). Template: libreswan/x509_email_address Type: string Default: _Description: Email address for the X.509 certificate request: Please enter the email address of the person or organization responsible for the X.509 certificate. Template: libreswan/no-oe_include_file Type: note _Description: Modification of /etc/ipsec.conf Due to a change in upstream Libreswan, opportunistic encryption is no longer enabled by default. The no_oe.conf file that was shipped in earlier versions to explicitly disable it can therefore no longer be included by ipsec.conf. Any such include paragraph will now be automatically removed to ensure that Libreswan can start correctly.