Commit | Line | Data |
---|---|---|
2fe58dfd SE |
1 | # secnet configuration file |
2 | ||
3 | # This file defines a dictionary full of configuration information for | |
4 | # secnet. Two keys must be defined in this file for secnet to | |
5 | # start. One is "system", a dictionary containing systemwide control | |
6 | # parameters. The other is "sites", a list of all the sites that you | |
7 | # intend to communicate with. | |
8 | ||
9 | # Other files can be included inline by writing "include filename" at | |
10 | # the start of a line. | |
11 | ||
12 | # The configuration file has a fairly simple syntax: | |
13 | # key definition; or key = definition; (the "=" is optional) | |
14 | # ...sets 'key' in the current dictionary to 'definition'. | |
15 | # | |
16 | # "key" is [[:alpha:]_][[:alnum:]\-_]* | |
17 | # | |
18 | # definition may be one of the following: | |
19 | # a string, in quotes | |
20 | # a number, in decimal | |
21 | # a dictionary, in { } | |
22 | # a path to a key that already exists, to reference that definition | |
23 | # a "closure", followed by arguments | |
24 | # | |
25 | # paths are key1/key2/key3... (starting from wherever we find key1, i.e. in | |
26 | # the current dictionary or any of its parents) | |
27 | # alternatively /key1/key2/key3... (to start from the root) | |
28 | # | |
29 | # closures are followed by an argument list in ( ), and may return | |
30 | # whatever type they like (including other closures) | |
31 | # | |
32 | # closure { definitions } is short for closure({definitions}). | |
33 | # | |
34 | # Whenever secnet looks for a key it checks the (lexical) parent dictionaries | |
35 | # as well until it finds it or reaches the root. This is useful for setting | |
36 | # defaults for large collections of dictionaries (eg. defining sites). | |
37 | # | |
38 | # It is also permissible to list other dictionaries before a dictionary | |
39 | # definition, eg. <defaults,otherdefaults>{definitions}. These will be | |
40 | # searched in order for keys, before the lexical parent. (Not yet implemented) | |
41 | # | |
42 | # secnet predefines some keys in the root dictionary; some useful ones are: | |
43 | # yes, true, True, TRUE: the boolean value True | |
44 | # no, false, False, FALSE: the boolean value False | |
45 | # makelist: turns a dictionary (arg1) into a list (return value) | |
46 | # readfile: reads a file (arg1) and returns it as a string | |
47 | # | |
48 | # secnet modules also predefine keys, eg. "adns", "randomfile", etc. | |
49 | # See the module documentation for more information. | |
50 | ||
51 | # After the configuration file is read, secnet looks for particular keys | |
52 | # in configuration space to tell it what to do: | |
53 | # system: system-wide parameters (control, logging, etc.) | |
54 | # sites: a list of sites with which to communicate | |
55 | ||
56 | # Log facility | |
57 | log logfile("secnet","local2"); # Not yet implemented, goes to stderr | |
58 | ||
59 | # Systemwide configuration (all other configuration is per-site): | |
60 | # log a log facility for program messages | |
61 | # userid who we try to run as after setup | |
62 | # pidfile | |
63 | system { | |
64 | # userid "steve"; | |
65 | # pidfile "/var/run/secnet.pid"; | |
66 | pidfile "foo.pid"; | |
67 | }; | |
68 | ||
69 | # Parameters for each remote site (arguments to the site() closure): | |
70 | # things we configure locally | |
71 | # buffer buffer for constructing/sending/receiving packets | |
72 | # netlink user/kernel netlink device for this tunnel | |
73 | # comm UDP communication | |
74 | # resolver resolver to use for name lookups | |
75 | # log a log destination for this connection | |
76 | # log-events string list: which events we log | |
77 | # random a source of randomness | |
78 | ||
79 | # our local configuration visible to the outside world | |
80 | # local-name string: how we identify ourselves to them | |
81 | # local-key our own private RSA key | |
82 | # local-port port number we listen on | |
83 | ||
84 | # their configuration visible to us | |
85 | # name string: how they identify themselves | |
86 | # address string: use with resolver to find their IP address | |
87 | # networks string list: their networks for us | |
88 | # key the remote site's RSA public key | |
89 | # port port we send to to contact remote site | |
90 | ||
91 | # things both ends must agree on | |
92 | # transform routine for bulk encryption | |
93 | # dh Diffie-Hellman parameters | |
94 | # hash secure hash function | |
95 | ||
96 | # things both ends ought to agree on, but don't have to | |
97 | # key-lifetime max session key lifetime, in milliseconds | |
98 | # setup-retries max retransmits of a key setup packet | |
99 | # setup-timeout wait between retransmits of key setup packets, in ms | |
100 | # wait-time wait between unsuccessful key setup attempts, in ms | |
101 | ||
102 | netlink userv-ipif { | |
103 | name "userv-ipif"; # Printed in log messages from this netlink | |
104 | # userv-path "/usr/bin/userv"; | |
105 | # service-user "root"; | |
106 | # service-name "ipif"; | |
107 | ||
108 | # local networks served by this netlink device | |
109 | # incoming tunneled packets for other networks will be discarded | |
110 | networks "192.168.73.0/24", "192.168.1.0/24", "172.19.71.0/24"; | |
111 | local-address "192.168.73.72"; # IP address of interface | |
112 | secnet-address "192.168.73.73"; # IP address of secnet | |
113 | mtu 1400; | |
114 | ||
115 | buffer sysbuffer(); # userv/ipif needs a buffer to build incoming | |
116 | # packets from the netlink device before passing them | |
117 | # to the site layer | |
118 | }; | |
119 | comm udp { | |
120 | port 1234; | |
121 | buffer sysbuffer(4096,{lockdown=yes;}); | |
122 | }; | |
123 | resolver adns { | |
124 | config="wibble wobble"; | |
125 | }; | |
126 | # log is defined earlier - we share it with the system | |
127 | log-events "init","up","down"; | |
128 | random randomfile("/dev/urandom",no); | |
129 | ||
130 | local-name "myrddin"; | |
131 | local-key rsa-private("private-key"); | |
132 | ||
133 | transform serpent256-cbc { | |
134 | max-sequence-skew 10; | |
135 | }; | |
136 | ||
137 | dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2"); | |
138 | hash md5; | |
139 | ||
140 | key-lifetime 20000; | |
141 | ||
142 | zealot { | |
143 | name "zealot"; | |
144 | address "zealot.sinister.greenend.org.uk"; | |
145 | port 5678; | |
146 | networks "192.168.73.74/32", "192.168.73.75/32"; | |
147 | key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833"); | |
148 | }; | |
149 | ||
150 | myrddin { | |
151 | name "myrddin"; | |
152 | address "myrddin.sinister.greenend.org.uk"; | |
153 | port 1234; | |
154 | networks "192.168.73.72/32", "192.168.73.73/32"; | |
155 | key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543"); | |
156 | }; | |
157 | ||
158 | sites site(zealot); |