summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--perl-install/standalone/drakvpn269
1 files changed, 218 insertions, 51 deletions
diff --git a/perl-install/standalone/drakvpn b/perl-install/standalone/drakvpn
index f4c64e678..2367d87b4 100644
--- a/perl-install/standalone/drakvpn
+++ b/perl-install/standalone/drakvpn
@@ -743,29 +743,25 @@ Put your mouse over the certificate entry to obtain online help."),
val => \$path_section->{1}[1],
list => [ 'certificate', 'pre_shared_key', 'include' ],
help =>
-N("Path Specification
- path include path;
- specifies a path to include a file. See File Inclusion.
- Example: path include '/etc/racoon'
-
- path pre_shared_key file;
- specifies a file containing pre-shared key(s)
- for various ID(s). See Pre-shared key File.
- Example: path pre_shared_key '/etc/racoon/psk.txt' ;
-
- path certificate path;
- racoon(8) will search this directory if a certificate or
- certificate request is received.
- Example: path certificate '/etc/cert' ;
-
-File Inclusion
- include file
- other configuration files can be included.
-
-Pre-shared key File
- Pre-shared key file defines a pair of the identifier and the
- shared secret key which are used at Pre-shared key authentication
- method in phase 1."),
+N("path include path : specifies a path to include
+a file. See File Inclusion.
+ Example: path include '/etc/racoon'
+
+path pre_shared_key file : specifies a file containing
+pre-shared key(s) for various ID(s). See Pre-shared key File.
+ Example: path pre_shared_key '/etc/racoon/psk.txt' ;
+
+path certificate path : racoon(8) will search this directory
+if a certificate or certificate request is received.
+ Example: path certificate '/etc/cert' ;
+
+File Inclusion : include file
+other configuration files can be included.
+ Example: include \"remote.conf\" ;
+
+Pre-shared key File : Pre-shared key file defines a pair
+of the identifier and the shared secret key which are used at
+Pre-shared key authentication method in phase 1."),
},
{ label => N("real file"), val => \$path_section->{1}[2], type => 'entry' },
]
@@ -808,7 +804,7 @@ network::ipsec::add_section_racoon_conf($proposal_remote_section, $racoon);
};
ask_info('',
N("Make sure you already have the path sections
-on the top of your %s file.\n
+on the top of your %s file.
You can now choose the sainfo settings.
Choose continue or previous when you are done.\n", $racoon_conf), $sainfo_section) or goto step_configure_racoon_conf;
@@ -848,7 +844,7 @@ N("Your %s file has several sections.
You can now edit the sainfo section entries.
-Choose continue when you are done to write the data.\n", $racoon_conf), $racoon->{$number}) or goto step_configure_racoon_conf;
+Choose continue when you are done to write the data.", $racoon_conf), $racoon->{$number}) or goto step_configure_racoon_conf;
} elsif ($choice =~ /^path/) {
$in->ask_from('',
@@ -920,39 +916,210 @@ sub quit_global {
sub ask_info {
my ($title, $text, $data) = @_;
$in->ask_from($title, $text,
- [ { label => N("sainfo_source_address"), val => \$data->{1}[2], type => 'entry' },
- { label => N("sainfo_source_proto"), val => \$data->{1}[3], type => 'entry' },
- { label => N("sainfo_dest_address"), val => \$data->{1}[5], type => 'entry' },
- { label => N("sainfo_dest_proto"), val => \$data->{1}[6], type => 'entry' },
+ [ { label => N("Sainfo source address"), val => \$data->{1}[2], type => 'entry',
+ help => N("sainfo (source_id destination_id | anonymous) { statements }
+defines the parameters of the IKE phase 2
+(IPsec-SA establishment).
+
+source_id and destination_id are constructed like:
+
+ address address [/ prefix] [[port]] ul_proto
+
+Examples : \n
+sainfo anonymous (accepts connections from anywhere)
+ leave blank this entry if you want anonymous
+
+sainfo address 203.178.141.209 any address 203.178.141.218 any
+ 203.178.141.209 is the source address
+
+sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any
+ 172.16.1.0/24 is the source address") },
+ { label => N("Sainfo source protocol"), val => \$data->{1}[3], type => 'entry',
+ help => N("sainfo (source_id destination_id | anonymous) { statements }
+defines the parameters of the IKE phase 2
+(IPsec-SA establishment).
+
+source_id and destination_id are constructed like:
+
+ address address [/ prefix] [[port]] ul_proto
+
+Examples : \n
+sainfo anonymous (accepts connections from anywhere)
+ leave blank this entry if you want anonymous
+
+sainfo address 203.178.141.209 any address 203.178.141.218 any
+ the first 'any' allows any protocol for the source") },
+ { label => N("Sainfo destination address"), val => \$data->{1}[5], type => 'entry',
+ help => N("sainfo (source_id destination_id | anonymous) { statements }
+defines the parameters of the IKE phase 2
+(IPsec-SA establishment).
+
+source_id and destination_id are constructed like:
+
+ address address [/ prefix] [[port]] ul_proto
+
+Examples : \n
+sainfo anonymous (accepts connections from anywhere)
+ leave blank this entry if you want anonymous
+
+sainfo address 203.178.141.209 any address 203.178.141.218 any
+ 203.178.141.218 is the destination address
+
+sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any
+ 172.16.2.0/24 is the destination address") },
+ { label => N("Sainfo destination protocol"), val => \$data->{1}[6], type => 'entry',
+ help => N("sainfo (source_id destination_id | anonymous) { statements }
+defines the parameters of the IKE phase 2
+(IPsec-SA establishment).
+
+source_id and destination_id are constructed like:
+
+ address address [/ prefix] [[port]] ul_proto
+
+Examples : \n
+sainfo anonymous (accepts connections from anywhere)
+ leave blank this entry if you want anonymous
+
+sainfo address 203.178.141.209 any address 203.178.141.218 any
+ the last 'any' allows any protocol for the destination") },
{ label => N("PFS group"), val => \$data->{2}[1],
- list => [ qw(modp768 modp1024 modp1536) ], },
- { label => N("Lifetime number"), val => \$data->{3}[2], type => 'entry' },
- { label => N("Lifetime unit"), val => \$data->{3}[3], type => 'entry' },
- { label => N("Encryption algorithm"), val => \$data->{4}[1], type => 'entry' },
- { label => N("Authentication algorithm"), val => \$data->{5}[1], type => 'entry' },
- { label => N("Compression algorithm"), val => \$data->{6}[1], type => 'entry' },
- ]);
-}
+ list => [ qw(modp768 modp1024 modp1536 1 2 5) ],
+ help => N("define the group of Diffie-Hellman exponentiations.
+If you do not require PFS then you can omit this directive.
+Any proposal will be accepted if you do not specify one.
+group is one of following: modp768, modp1024, modp1536.
+Or you can define 1, 2, or 5 as the DH group number.") },
+ { label => N("Lifetime number"), val => \$data->{3}[2], type => 'entry',
+ help => N("define a lifetime of a certain time which will be pro-
+posed in the phase 1 negotiations. Any proposal will be
+accepted, and the attribute(s) will be not proposed to
+the peer if you do not specify it(them). They can be
+individually specified in each proposal.
+
+Examples : \n
+ lifetime time 1 min; # sec,min,hour
+ lifetime time 1 min; # sec,min,hour
+ lifetime time 30 sec;
+ lifetime time 30 sec;
+ lifetime time 60 sec;
+ lifetime time 12 hour;
+
+So, here, the lifetime numbers are 1, 1, 30, 30, 60 and 12.
+") },
+ { label => N("Lifetime unit"), val => \$data->{3}[3],
+ list => [ qw(sec min hour) ],
+ help => N("define a lifetime of a certain time which will be pro-
+posed in the phase 1 negotiations. Any proposal will be
+accepted, and the attribute(s) will be not proposed to
+the peer if you do not specify it(them). They can be
+individually specified in each proposal.
+
+Examples : \n
+ lifetime time 1 min; # sec,min,hour
+ lifetime time 1 min; # sec,min,hour
+ lifetime time 30 sec;
+ lifetime time 30 sec;
+ lifetime time 60 sec;
+ lifetime time 12 hour ;
+
+So, here, the lifetime units are 'min', 'min', 'sec', 'sec', 'sec' and 'hour'.
+") },
+ { label => N("Encryption algorithm"), val => \$data->{4}[1],
+ list => [ qw(des 3des des_iv64 des_iv32 rc5 rc4 idea 3idea cast128 blowfish null_enc twofish rijndae) ] },
+ { label => N("Authentication algorithm"), val => \$data->{5}[1],
+ list => [ qw(des 3des des_iv64 des_iv32 hmac_md5 hmac_sha1 non_auth) ] },
+ { label => N("Compression algorithm"), val => \$data->{6}[1],
+ list => [ 'deflate' ], allow_empty_list => 1 }
+
+]) }
sub ask_info2 {
my ($title, $text, $main_remote_section, $proposal_remote_section) = @_;
$in->ask_from($title, $text,,
- [ { label => N("remote"), val => \$main_remote_section->{1}[1], type => 'entry' },
- { label => N("exchange_mode"), val => \$main_remote_section->{2}[1], type => 'entry' },
- { label => N("generate_policy"), val => \$main_remote_section->{3}[1], type => 'entry' },
- { label => N("passive"), val => \$main_remote_section->{4}[1], type => 'entry' },
- { label => N("certificate_type"), val => \$main_remote_section->{5}[1], type => 'entry' },
- { label => N("my_certfile"), val => \$main_remote_section->{5}[2], type => 'entry' },
- { label => N("my_private_key"), val => \$main_remote_section->{5}[3], type => 'entry' },
- { label => N("peers_certfile"), val => \$main_remote_section->{6}[1], type => 'entry' },
- { label => N("verify_cert"), val => \$main_remote_section->{7}[1], type => 'entry' },
- { label => N("my_identifier"), val => \$main_remote_section->{8}[1], type => 'entry' },
- { label => N("peers_identifier"), val => \$main_remote_section->{9}[1], type => 'entry' },
- { label => N("proposal"), val => \$proposal_remote_section->{1}[0], type => 'entry' },
- { label => N("Encryption algorithm"), val => \$proposal_remote_section->{2}[1], type => 'entry' },
+ [ { label => N("Remote"), val => \$main_remote_section->{1}[1], type => 'entry',
+ help => N("remote (address | anonymous) [[port]] { statements }
+specifies the parameters for IKE phase 1 for each remote node.
+The default port is 500. If anonymous is specified, the state-
+ments apply to all peers which do not match any other remote
+directive.\n
+Examples : \n
+remote anonymous
+remote ::1 [8000]") },
+ { label => N("Exchange mode"), val => \$main_remote_section->{2}[1],
+ list => [ qw(main,agressive agressive,main) ],
+ help => N("defines the exchange mode for phase 1 when racoon is the
+initiator. Also it means the acceptable exchange mode
+when racoon is responder. More than one mode can be
+specified by separating them with a comma. All of the
+modes are acceptable. The first exchange mode is what
+racoon uses when it is the initiator.\n") },
+ { label => N("Generate policy"), val => \$main_remote_section->{3}[1],
+ list => [ 'off', 'on' ],
+ help => N("This directive is for the responder. Therefore you
+should set passive on in order that racoon(8) only
+becomes a responder. If the responder does not have any
+policy in SPD during phase 2 negotiation, and the direc-
+tive is set on, then racoon(8) will choice the first pro-
+posal in the SA payload from the initiator, and generate
+policy entries from the proposal. It is useful to nego-
+tiate with the client which is allocated IP address
+dynamically. Note that inappropriate policy might be
+installed into the responder's SPD by the initiator. So
+that other communication might fail if such policies
+installed due to some policy mismatches between the ini-
+tiator and the responder. This directive is ignored in
+the initiator case. The default value is off.") },
+ { label => N("Passive"), val => \$main_remote_section->{4}[1],
+ list => [ 'off', 'on' ],
+ help => N("If you do not want to initiate the negotiation, set this
+to on. The default value is off. It is useful for a
+server.") },
+ { label => N("Certificate type"), val => \$main_remote_section->{5}[1],
+ list => [ 'x509' ], allow_empty_list => 1 },
+ { label => N("My certfile"), val => \$main_remote_section->{5}[2], type => 'entry',
+ help => N("Name of the certificate") },
+ { label => N("My private key"), val => \$main_remote_section->{5}[3], type => 'entry',
+ help => N("Name of the private key") },
+ { label => N("Peers certfile"), val => \$main_remote_section->{6}[1], type => 'entry',
+ help => N("Name of the peers certificate") },
+ { label => N("Verify cert"), val => \$main_remote_section->{7}[1],
+ list => [ 'off', 'on' ],
+ help => N("If you do not want to verify the peer's certificate for
+some reason, set this to off. The default is on.") },
+ { label => N("My identifier"), val => \$main_remote_section->{8}[1], type => 'entry',
+ help => N("specifies the identifier sent to the remote host and the
+type to use in the phase 1 negotiation. address, fqdn,
+user_fqdn, keyid and asn1dn can be used as an idtype.
+they are used like:
+ my_identifier address [address];
+ the type is the IP address. This is the default
+ type if you do not specify an identifier to use.
+ my_identifier user_fqdn string;
+ the type is a USER_FQDN (user fully-qualified
+ domain name).
+ my_identifier fqdn string;
+ the type is a FQDN (fully-qualified domain name).
+ my_identifier keyid file;
+ the type is a KEY_ID.
+ my_identifier asn1dn [string];
+ the type is an ASN.1 distinguished name. If
+ string is omitted, racoon(8) will get DN from
+ Subject field in the certificate.\n
+Examples : \n
+my_identifier user_fqdn \"myemail\@mydomain.com\"") },
+ { label => N("Peers identifier"), val => \$main_remote_section->{9}[1], type => 'entry' },
+ { label => N("Proposal"), val => \$proposal_remote_section->{1}[0], list => [ 'proposal' ], allow_empty_list => 1 },
+ { label => N("Encryption algorithm"), val => \$proposal_remote_section->{2}[1], list => [ qw(des 3des blowfish cast128) ],
+ help => N("specify the encryption algorithm used for the
+phase 1 negotiation. This directive must be defined.
+algorithm is one of following:
+
+des, 3des, blowfish, cast128 for oakley.
+
+For other transforms, this statement should not be used.") },
{ label => N("Hash algorithm"), val => \$proposal_remote_section->{3}[1], type => 'entry' },
{ label => N("Authentication method"), val => \$proposal_remote_section->{4}[1], type => 'entry' },
- { label => N("DH group"), val => \$proposal_remote_section->{5}[1], list => [ qw(modp768 modp1024 modp1536) ], },
+ { label => N("DH group"), val => \$proposal_remote_section->{5}[1], list => [ qw(modp768 modp1024 modp1536 1 2 5) ], },
]);
}