libreswan 3.23-4 / usr / share / doc / libreswan / README.Debian

This file is indexed.

/usr/share/doc/libreswan/README.Debian is in libreswan 3.23-4.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
libreswan for Debian
--------------------

1) General Remarks

This package has been created by dkg with some reference/guidance from
previous packaging work by several other packagers of both libreswan
and other historical *swan projects (freeswan, openswan, etc).

2) System "ipsec" service is disabled by default

This package ships with the system service disabled by default.  After
any configuration (see ipsec.conf(5) and ipsec.secrets(5)), you can
start the service for the current boot with:

    systemctl start ipsec

If you want to make the service start at every boot, do:

    systemctl enable ipsec

Future versions may enable the service by default if a
sufficiently-robust, configuration-free opportunistic mode is
available.

3) Opportunistic Encryption

To set up opportunistic encryption, you may want to make use of
/usr/share/doc/libreswan/examples/oe-upgrade-authnull.conf

You can see what associations have been created with:

    ipsec whack --trafficstatus

See also:

    https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec

4) Raw RSA key creation

Raw RSA keys can be generated with
    ipsec newhostkey

To display the key identifier of the key for use in leftrsasigkey/rightrsasigkey
in the "conn" section of ipsec.conf, use:
    ipsec showhostkey --left    (or --right)

For further information please take a closer look at the manpages
ipsec_rsasigkey, ipsec.secrets, ipsec_showhostkey and ipsec.conf.

5) X.509 and secret key support uses /var/lib/ipsec/nss

All certificate material, including CA certificates, CRLs and private keys
are now stored in the NSS database in /var/lib/ipsec/nss

When migrating from pre-NSS openswan, the files from /etc/ipsec.d/private,
/etc/ipsec.d/cacerts, /etc/ipsec.d/crls and /etc/ipsec.d/certs need to be
imported into NSS using certutil, crlutil or pk12util. For more information
see https://libreswan.org/wiki/Using_NSS_with_libreswan

Please keep in mind that upstream documentation assumes that the NSS
database is stored in /etc/ipsec.d instead of /var/lib/ipsec/nss,
and translate accordingly!  Debian uses /var/lib/ipsec/nss to
avoid clutter in /etc/ipsec.d, for easier cleanup, and to follow the
FHS.

6) IPsec Kernel Support

Note: This package uses the in-kernel IPsec stack, which is available
in all recent stock Debian kernel images.  This packaging does not
currently support KLIPS or KLIPS/MAST.

 -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Wed, 22 Jun 2016 17:58:47 -0400

APT Browse - Built by Thomas Orozco.