[secnet] / example.conf

# secnet example configuration file

# Log facility
log syslog {
	ident "secnet";
	facility "local0";
};

# Alternatively you could log to a file:
# log logfile {
# 	filename "/var/log/secnet";
# 	class "info","notice","warning","error","security","fatal";
# 	# There are some useful message classes that could replace
# 	# this list:
# 	#  'default' -> warning,error,security,fatal
# 	#  'verbose' -> info,notice,default
# 	#  'quiet'   -> fatal
# };

# Systemwide configuration (all other configuration is per-site):
# log		a log facility for program messages
# userid	who we try to run as after setup
# pidfile
system {
	userid "secnet";
	pidfile "/var/run/secnet.pid";
};

# Parameters for each remote site (arguments to the site() closure):
#  things we configure locally
# buffer                buffer for constructing/sending/receiving packets
# netlink		user/kernel netlink device for this tunnel
# comm			UDP communication
# resolver		resolver to use for name lookups
# log			a log destination for this connection
# log-events		string list: which events we log
# random                a source of randomness

#  our local configuration visible to the outside world
# local-name		string: how we identify ourselves to them
# local-key		our own private RSA key
# local-port		port number we listen on

#  their configuration visible to us
# name			string: how they identify themselves
# address		string: use with resolver to find their IP address
# networks		string list: their networks for us
# key			the remote site's RSA public key
# port			port we send to to contact remote site

#  things both ends must agree on
# transform             routine for bulk encryption
# dh			Diffie-Hellman parameters
# hash			secure hash function

#  things both ends ought to agree on, but don't have to
# key-lifetime          max session key lifetime, in milliseconds
# setup-retries         max retransmits of a key setup packet
# setup-timeout         wait between retransmits of key setup packets, in ms
# wait-time             wait between unsuccessful key setup attempts, in ms
# renegotiate-time      set up a new key if we see any traffic after this time

# Use the universal TUN/TAP driver to get packets to and from the kernel
#  (use tun-old if you are not on Linux-2.4)
netlink tun {
	name "netlink-tun"; # Printed in log messages from this netlink
#	interface "tun0"; # You may set your own interface name if you wish;
		# if you don't one will be chosen for you.

	# local networks served by this netlink device
	# incoming tunneled packets for other networks will be discarded
	networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
	local-address "192.168.x.x"; # IP address of host's tunnel interface
	secnet-address "192.168.x.x"; # IP address of this secnet

	# MTU of the tunnel interface. Should be kept under the path-MTU
	# (by at least 60 bytes) between this secnet and its peers for
	# optimum performance.
	mtu 1400;

	# This buffer is used to pass incoming packets onto the 'site'
	# module. It should be at least as big as the MTU plus 60 bytes.
	# Buffers can sometimes be shared between netlink devices - see
	# full documentation for more details. (XXX TODO)
	buffer sysbuffer(2048);
};

# Alternatively (or additionally, if you like) use userv-ipif to get
# packets to and from the kernel.
#netlink userv-ipif {
#	name "netlink-userv-ipif";
#	# userv-path "/usr/bin/userv";
#	# service-user "root";
#	# service-name "ipif";
#	networks "whatever";
#	local-address "whatever";
#	secnet-address "whatever";
#	mtu 1400;
#	buffer sysbuffer(2048);
#};	

# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
# port for your site: you may be doing network address translation, for
# example. You need to arrange that any UDP packets sent to the advertised
# host and port for your site end up on this machine at the port you
# specify here.
comm udp {
	port xxxx;
	buffer sysbuffer(4096);
};

# The resolver is used to look up IP addresses from the DNS names provided
# in the sites file. You may specify an alternative resolv.conf for
# ADNS here if you wish.
resolver adns {
#	config=readfile("/etc/secnet/adns.conf");
};

# log is defined earlier - we share it with the system
log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
	"security";

# A source of random bits for nonces and session keys. The 'no' specifies
# that it's non-blocking. XXX 'yes' isn't implemented yet.
random randomfile("/dev/urandom",no);

local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");

# On dodgy links you may want to specify a higher maximum sequence number skew
transform serpent256-cbc {
	max-sequence-skew 10;
};

include /etc/secnet/sites.conf

# Here you must list all the VPN sites that you wish to communicate with.
# The /etc/secnet/sites file contains information on all reachable sites;
# if the site you want to communicate with isn't listed, you should get
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.

sites
	site(vpn-data/example/location1/site1),
	site(vpn-data/example/location2/site1),
	site(vpn-data/example/location2/site2);

# If you want to communicate with all the VPN sites, you can use something
# like the following instead:

# sites map(site,vpn/example/all-sites);

# If you want to communicate with a subset of locations, try the following:

# sites map(site,vpn/example/location1,vpn/example/location2);
Commit	Line	Data
df1b18fc SE	1	# secnet example configuration file
	2
	3	# Log facility
b2a56f7c SE	4	log syslog {
	5	ident "secnet";
	6	facility "local0";
	7	};
	8
	9	# Alternatively you could log to a file:
	10	# log logfile {
	11	# filename "/var/log/secnet";
	12	# class "info","notice","warning","error","security","fatal";
	13	# # There are some useful message classes that could replace
	14	# # this list:
	15	# # 'default' -> warning,error,security,fatal
	16	# # 'verbose' -> info,notice,default
	17	# # 'quiet' -> fatal
	18	# };
df1b18fc SE	19
	20	# Systemwide configuration (all other configuration is per-site):
	21	# log a log facility for program messages
	22	# userid who we try to run as after setup
	23	# pidfile
	24	system {
	25	userid "secnet";
	26	pidfile "/var/run/secnet.pid";
	27	};
	28
	29	# Parameters for each remote site (arguments to the site() closure):
	30	# things we configure locally
	31	# buffer buffer for constructing/sending/receiving packets
	32	# netlink user/kernel netlink device for this tunnel
	33	# comm UDP communication
	34	# resolver resolver to use for name lookups
	35	# log a log destination for this connection
	36	# log-events string list: which events we log
	37	# random a source of randomness
	38
	39	# our local configuration visible to the outside world
	40	# local-name string: how we identify ourselves to them
	41	# local-key our own private RSA key
	42	# local-port port number we listen on
	43
	44	# their configuration visible to us
	45	# name string: how they identify themselves
	46	# address string: use with resolver to find their IP address
	47	# networks string list: their networks for us
	48	# key the remote site's RSA public key
	49	# port port we send to to contact remote site
	50
	51	# things both ends must agree on
	52	# transform routine for bulk encryption
	53	# dh Diffie-Hellman parameters
	54	# hash secure hash function
	55
	56	# things both ends ought to agree on, but don't have to
	57	# key-lifetime max session key lifetime, in milliseconds
	58	# setup-retries max retransmits of a key setup packet
	59	# setup-timeout wait between retransmits of key setup packets, in ms
	60	# wait-time wait between unsuccessful key setup attempts, in ms
9d3a4132	61	# renegotiate-time set up a new key if we see any traffic after this time
df1b18fc SE	62
df1b18fc SE	63	# Use the universal TUN/TAP driver to get packets to and from the kernel
59635212	64	# (use tun-old if you are not on Linux-2.4)
df1b18fc SE	65	netlink tun {
	66	name "netlink-tun"; # Printed in log messages from this netlink
	67	# interface "tun0"; # You may set your own interface name if you wish;
	68	# if you don't one will be chosen for you.
	69
	70	# local networks served by this netlink device
	71	# incoming tunneled packets for other networks will be discarded
	72	networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
	73	local-address "192.168.x.x"; # IP address of host's tunnel interface
	74	secnet-address "192.168.x.x"; # IP address of this secnet
	75
	76	# MTU of the tunnel interface. Should be kept under the path-MTU
	77	# (by at least 60 bytes) between this secnet and its peers for
	78	# optimum performance.
	79	mtu 1400;
	80
	81	# This buffer is used to pass incoming packets onto the 'site'
	82	# module. It should be at least as big as the MTU plus 60 bytes.
	83	# Buffers can sometimes be shared between netlink devices - see
	84	# full documentation for more details. (XXX TODO)
	85	buffer sysbuffer(2048);
	86	};
	87
	88	# Alternatively (or additionally, if you like) use userv-ipif to get
	89	# packets to and from the kernel.
	90	#netlink userv-ipif {
	91	# name "netlink-userv-ipif";
	92	# # userv-path "/usr/bin/userv";
	93	# # service-user "root";
	94	# # service-name "ipif";
	95	# networks "whatever";
	96	# local-address "whatever";
	97	# secnet-address "whatever";
	98	# mtu 1400;
	99	# buffer sysbuffer(2048);
	100	#};
	101
	102	# This defines the port that this instance of secnet will listen on, and
	103	# originate packets on. It does not _have_ to correspond to the advertised
	104	# port for your site: you may be doing network address translation, for
	105	# example. You need to arrange that any UDP packets sent to the advertised
	106	# host and port for your site end up on this machine at the port you
	107	# specify here.
	108	comm udp {
	109	port xxxx;
	110	buffer sysbuffer(4096);
	111	};
	112
	113	# The resolver is used to look up IP addresses from the DNS names provided
	114	# in the sites file. You may specify an alternative resolv.conf for
	115	# ADNS here if you wish.
	116	resolver adns {
	117	# config=readfile("/etc/secnet/adns.conf");
	118	};
	119
	120	# log is defined earlier - we share it with the system
9d3a4132 SE	121	log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
9d3a4132 SE	122	"security";
df1b18fc SE	123
	124	# A source of random bits for nonces and session keys. The 'no' specifies
	125	# that it's non-blocking. XXX 'yes' isn't implemented yet.
	126	random randomfile("/dev/urandom",no);
	127
	128	local-name "your-site-name";
	129	local-key rsa-private("/etc/secnet/key");
	130
	131	# On dodgy links you may want to specify a higher maximum sequence number skew
	132	transform serpent256-cbc {
	133	max-sequence-skew 10;
	134	};
	135
08f344d3	136	include /etc/secnet/sites.conf
df1b18fc SE	137
	138	# Here you must list all the VPN sites that you wish to communicate with.
	139	# The /etc/secnet/sites file contains information on all reachable sites;
	140	# if the site you want to communicate with isn't listed, you should get
	141	# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
	142	# contains public keys for all sites.
	143
	144	sites
08f344d3 SE	145	site(vpn-data/example/location1/site1),
	146	site(vpn-data/example/location2/site1),
	147	site(vpn-data/example/location2/site2);
9d3a4132 SE	148
	149	# If you want to communicate with all the VPN sites, you can use something
	150	# like the following instead:
	151
08f344d3 SE	152	# sites map(site,vpn/example/all-sites);
	153
	154	# If you want to communicate with a subset of locations, try the following:
	155
	156	# sites map(site,vpn/example/location1,vpn/example/location2);