Template: freeswan/makedev Type: boolean Default: true Description: Create device nodes for FreeS/WAN? Do you wish to create the device nodes for FreeS/WAN now? You can create them later by running dpkg-reconfigure freeswan, or by running MAKEDEV ipsec in /dev. Template: freeswan/restart Type: boolean Default: true Description: Do you wish to restart FreeS/WAN? Restarting FreeS/WAN is a good idea, since if there is a security fix, it will not be fixed until the daemon restarts. Most people expect the daemon to restart, so this is generally a good idea. However this might take down existing connections and then bring them back up. Template: freeswan/create_rsa_key Type: boolean Default: true Description: Do you want to create a RSA public/private keypair for this host ? This installer can automatically create a RSA public/private keypair for this host. This keypair can be used to authenticate IPSec connections to other hosts and is the preferred way for building up secure IPSec connections. The other possibility would be to use shared secrets (passwords that are the same on both sides of the tunnel) for authenticating an connection, but for a larger number of connections RSA authentication is easier to administrate and more secure. Template: freeswan/rsa_key_type Type: select Choices: x509, plain Default: x509 Description: Which type of RSA keypair do you want to create ? It is possible to create a plain RSA public/private keypair for the use with FreeS/WAN or to create a X509 certificate file which contains the RSA public key and additionally store the corresponding private key. . If you only want to build up IPSec connections to hosts also running FreeS/WAN, it might be a bit easier using plain RSA keypairs. But if you want to connect to other IPSec implementations, you will need a X509 certificate. It is also possible to create a X509 certificate here and extract the RSA public key in plain format if the other side runs FreeS/WAN without X509 certificate support. . Therefore a X509 certificate is recommended since it is more flexible and this installer should be able to hide the complex creation of the X509 certificate and its use in FreeS/WAN anyway.