[secnet] / example.conf

# secnet example configuration file

# Log facility
# If you use this unaltered you should consider providing automatic log
# rotation for /var/log/secnet.  secnet will close and re-open its logfiles
# when it receives SIGHUP.
log logfile {
	filename "/var/log/secnet";
	class "info","notice","warning","error","security","fatal";
	# There are some useful message classes that could replace
	# this list:
	#  'default' -> warning,error,security,fatal
	#  'verbose' -> info,notice,default
	#  'quiet'   -> fatal
};

# Alternatively you could log through syslog:
# log syslog {
# 	ident "secnet";
# 	facility "local0";
# };


# Systemwide configuration (all other configuration is per-site):
# log		a log facility for program messages
# userid	who we try to run as after setup
# pidfile
system {
	# Note that you should not specify 'userid' here unless secnet
	# is being invoked as root.
	userid "secnet";
	pidfile "/var/run/secnet.pid";
};

# Parameters for each remote site (arguments to the site() closure):
#  things we configure locally
# buffer                buffer for constructing/sending/receiving packets
# netlink		user/kernel netlink device for this tunnel
# comm			UDP communication
# resolver		resolver to use for name lookups
# log			a log destination for this connection
# log-events		string list: which events we log
# random                a source of randomness

#  our local configuration visible to the outside world
# local-name		string: how we identify ourselves to them
# local-key		our own private RSA key
# local-port		port number we listen on

#  their configuration visible to us
# name			string: how they identify themselves
# address		string: use with resolver to find their IP address
# networks		string list: their networks for us
# key			the remote site's RSA public key
# port			port we send to to contact remote site

#  things both ends must agree on
# transform             routine for bulk encryption
# dh			Diffie-Hellman parameters
# hash			secure hash function

#  things both ends ought to agree on, but don't have to
# key-lifetime          max session key lifetime, in milliseconds
# setup-retries         max retransmits of a key setup packet
# setup-timeout         wait between retransmits of key setup packets, in ms
# wait-time             wait between unsuccessful key setup attempts, in ms
# renegotiate-time      set up a new key if we see any traffic after this time

# Defaults that may be overridden on a per-site basis:
setup-retries 10;
setup-timeout 2000;

# Use the universal TUN/TAP driver to get packets to and from the kernel,
# through a single interface.  secnet will act as a router; it requires
# its own IP address which is specified below (you'll see it on traceroute,
# etc. for routes that go via tunnels).  If you don't want secnet to act
# as a router, and instead want a separate kernel network interface per
# tunnel, then see the alternative configuration below

# If you want to use userv-ipif to manage interfaces then replace the
# word "tun" with "userv-ipif".
netlink tun {
	name "netlink-tun"; # Printed in log messages from this netlink
#	interface "tun0"; # You may set your own interface name if you wish;
		# if you don't one will be chosen for you.
#	device "/dev/net/tun";

	local-address "192.168.x.x"; # IP address of host's tunnel interface
	secnet-address "192.168.x.x"; # IP address of this secnet

	# Tunnels are only allowed to use these networks; attempts to
	# claim IP addresses in any other ranges is a configuration error
	remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";

	# MTU of the tunnel interface. Should be kept under the path-MTU
	# (by at least 60 bytes) between this secnet and its peers for
	# optimum performance.
	mtu 1400;

	# This buffer is used to pass incoming packets onto the 'site'
	# module. It should be at least as big as the MTU plus 60 bytes.
	# Buffers can sometimes be shared between netlink devices - see
	# full documentation for more details. (XXX TODO)
	buffer sysbuffer(2048);
};

# This alternative configuration allows you to create one kernel network
# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT
# WORK WITH "userv-ipif".  This is because "tun" can share a single
# buffer between multiple network interfaces, but userv-ipif can't.
# To use userv-ipif in this style, process the sites.conf file so that
# each "netlink" section contains a "buffer sysbuffer(2048);" line.
#netlink tun;
#local-address "192.168.x.x"; # Address of local interfaces - all the same
#mtu 1400;
#buffer sysbuffer(2048);


# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
# port for your site: you may be doing network address translation, for
# example. You need to arrange that any UDP packets sent to the advertised
# host and port for your site end up on this machine at the port you
# specify here.
comm udp {
	port 410;
	buffer sysbuffer(4096);
};

# The resolver is used to look up IP addresses from the DNS names provided
# in the sites file. You may specify an alternative resolv.conf for
# ADNS here if you wish.
resolver adns {
#	config=readfile("/etc/secnet/adns.conf");
};

# log is defined earlier - we share it with the system
log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
	"security";

# A source of random bits for nonces and session keys. The 'no' specifies
# that it's non-blocking. XXX 'yes' isn't implemented yet.
random randomfile("/dev/urandom",no);

# If you're using the make-secnet-sites script then your local-name
# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");

# On dodgy links you may want to specify a higher maximum sequence number skew
transform eax-serpent, serpent256-cbc;

include /etc/secnet/sites.conf

# The /etc/secnet/sites file contains information on all reachable sites;
# if the site you want to communicate with isn't listed, you should get
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.

# If you want to communicate with all the VPN sites, you can use something
# like the following:

sites map(site,vpn/example/all-sites);

# If you only want to communicate with a subset of the VPN sites, list
# them explicitly:

# sites map(site,
#	vpn-data/example/location1/site1,
#	vpn-data/example/location2/site1,
#	vpn-data/example/location2/site2);

# If you want to communicate with a subset of locations, try the following:

# sites map(site,vpn/example/location1,vpn/example/location2);

# This file is placed in the public domain (insofar as possible.)
# Authors:  Stephen Early, Ian Jackson
Commit	Line	Data
df1b18fc SE	1	# secnet example configuration file
	2
	3	# Log facility
3b83c932 SE	4	# If you use this unaltered you should consider providing automatic log
	5	# rotation for /var/log/secnet. secnet will close and re-open its logfiles
	6	# when it receives SIGHUP.
d3fe100d SE	7	log logfile {
	8	filename "/var/log/secnet";
	9	class "info","notice","warning","error","security","fatal";
	10	# There are some useful message classes that could replace
	11	# this list:
	12	# 'default' -> warning,error,security,fatal
	13	# 'verbose' -> info,notice,default
	14	# 'quiet' -> fatal
b2a56f7c SE	15	};
b2a56f7c SE	16
3b83c932	17	# Alternatively you could log through syslog:
d3fe100d SE	18	# log syslog {
	19	# ident "secnet";
	20	# facility "local0";
b2a56f7c	21	# };
df1b18fc	22
d3fe100d	23
df1b18fc SE	24	# Systemwide configuration (all other configuration is per-site):
	25	# log a log facility for program messages
	26	# userid who we try to run as after setup
	27	# pidfile
	28	system {
3b83c932 SE	29	# Note that you should not specify 'userid' here unless secnet
3b83c932 SE	30	# is being invoked as root.
df1b18fc SE	31	userid "secnet";
	32	pidfile "/var/run/secnet.pid";
	33	};
	34
	35	# Parameters for each remote site (arguments to the site() closure):
	36	# things we configure locally
	37	# buffer buffer for constructing/sending/receiving packets
	38	# netlink user/kernel netlink device for this tunnel
	39	# comm UDP communication
	40	# resolver resolver to use for name lookups
	41	# log a log destination for this connection
	42	# log-events string list: which events we log
	43	# random a source of randomness
	44
	45	# our local configuration visible to the outside world
	46	# local-name string: how we identify ourselves to them
	47	# local-key our own private RSA key
	48	# local-port port number we listen on
	49
	50	# their configuration visible to us
	51	# name string: how they identify themselves
	52	# address string: use with resolver to find their IP address
	53	# networks string list: their networks for us
	54	# key the remote site's RSA public key
	55	# port port we send to to contact remote site
	56
	57	# things both ends must agree on
	58	# transform routine for bulk encryption
	59	# dh Diffie-Hellman parameters
	60	# hash secure hash function
	61
	62	# things both ends ought to agree on, but don't have to
	63	# key-lifetime max session key lifetime, in milliseconds
	64	# setup-retries max retransmits of a key setup packet
	65	# setup-timeout wait between retransmits of key setup packets, in ms
	66	# wait-time wait between unsuccessful key setup attempts, in ms
9d3a4132	67	# renegotiate-time set up a new key if we see any traffic after this time
df1b18fc	68
3b83c932	69	# Defaults that may be overridden on a per-site basis:
c6f79b17 SE	70	setup-retries 10;
	71	setup-timeout 2000;
	72
3b83c932 SE	73	# Use the universal TUN/TAP driver to get packets to and from the kernel,
	74	# through a single interface. secnet will act as a router; it requires
	75	# its own IP address which is specified below (you'll see it on traceroute,
	76	# etc. for routes that go via tunnels). If you don't want secnet to act
	77	# as a router, and instead want a separate kernel network interface per
	78	# tunnel, then see the alternative configuration below
	79
	80	# If you want to use userv-ipif to manage interfaces then replace the
	81	# word "tun" with "userv-ipif".
df1b18fc SE	82	netlink tun {
	83	name "netlink-tun"; # Printed in log messages from this netlink
	84	# interface "tun0"; # You may set your own interface name if you wish;
	85	# if you don't one will be chosen for you.
469fd1d9	86	# device "/dev/net/tun";
df1b18fc	87
df1b18fc SE	88	local-address "192.168.x.x"; # IP address of host's tunnel interface
	89	secnet-address "192.168.x.x"; # IP address of this secnet
	90
d3fe100d SE	91	# Tunnels are only allowed to use these networks; attempts to
d3fe100d SE	92	# claim IP addresses in any other ranges is a configuration error
4f5e39ec	93	remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
d3fe100d	94
df1b18fc SE	95	# MTU of the tunnel interface. Should be kept under the path-MTU
	96	# (by at least 60 bytes) between this secnet and its peers for
	97	# optimum performance.
	98	mtu 1400;
	99
	100	# This buffer is used to pass incoming packets onto the 'site'
	101	# module. It should be at least as big as the MTU plus 60 bytes.
	102	# Buffers can sometimes be shared between netlink devices - see
	103	# full documentation for more details. (XXX TODO)
	104	buffer sysbuffer(2048);
	105	};
	106
3b83c932 SE	107	# This alternative configuration allows you to create one kernel network
	108	# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT
	109	# WORK WITH "userv-ipif". This is because "tun" can share a single
	110	# buffer between multiple network interfaces, but userv-ipif can't.
	111	# To use userv-ipif in this style, process the sites.conf file so that
	112	# each "netlink" section contains a "buffer sysbuffer(2048);" line.
	113	#netlink tun;
	114	#local-address "192.168.x.x"; # Address of local interfaces - all the same
	115	#mtu 1400;
	116	#buffer sysbuffer(2048);
	117
df1b18fc SE	118
	119	# This defines the port that this instance of secnet will listen on, and
	120	# originate packets on. It does not _have_ to correspond to the advertised
	121	# port for your site: you may be doing network address translation, for
	122	# example. You need to arrange that any UDP packets sent to the advertised
	123	# host and port for your site end up on this machine at the port you
	124	# specify here.
	125	comm udp {
469fd1d9	126	port 410;
df1b18fc SE	127	buffer sysbuffer(4096);
	128	};
	129
	130	# The resolver is used to look up IP addresses from the DNS names provided
	131	# in the sites file. You may specify an alternative resolv.conf for
	132	# ADNS here if you wish.
	133	resolver adns {
	134	# config=readfile("/etc/secnet/adns.conf");
	135	};
	136
	137	# log is defined earlier - we share it with the system
9d3a4132 SE	138	log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
9d3a4132 SE	139	"security";
df1b18fc SE	140
	141	# A source of random bits for nonces and session keys. The 'no' specifies
	142	# that it's non-blocking. XXX 'yes' isn't implemented yet.
	143	random randomfile("/dev/urandom",no);
	144
d3fe100d	145	# If you're using the make-secnet-sites script then your local-name
c6f79b17	146	# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
df1b18fc SE	147	local-name "your-site-name";
	148	local-key rsa-private("/etc/secnet/key");
	149
	150	# On dodgy links you may want to specify a higher maximum sequence number skew
5b5f297f	151	transform eax-serpent, serpent256-cbc;
df1b18fc	152
08f344d3	153	include /etc/secnet/sites.conf
df1b18fc	154
df1b18fc SE	155	# The /etc/secnet/sites file contains information on all reachable sites;
	156	# if the site you want to communicate with isn't listed, you should get
	157	# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
	158	# contains public keys for all sites.
	159
9d3a4132	160	# If you want to communicate with all the VPN sites, you can use something
3b83c932	161	# like the following:
9d3a4132	162
3b83c932 SE	163	sites map(site,vpn/example/all-sites);
	164
	165	# If you only want to communicate with a subset of the VPN sites, list
	166	# them explicitly:
	167
	168	# sites map(site,
	169	# vpn-data/example/location1/site1,
	170	# vpn-data/example/location2/site1,
	171	# vpn-data/example/location2/site2);
08f344d3 SE	172
	173	# If you want to communicate with a subset of locations, try the following:
	174
	175	# sites map(site,vpn/example/location1,vpn/example/location2);
3b83c932	176
c215a4bc IJ	177	# This file is placed in the public domain (insofar as possible.)
c215a4bc IJ	178	# Authors: Stephen Early, Ian Jackson