Commit | Line | Data |
---|---|---|
df1b18fc SE |
1 | # secnet example configuration file |
2 | ||
3 | # Log facility | |
4 | log logfile("secnet","local2"); # Not yet implemented, goes to stderr | |
5 | ||
6 | # Systemwide configuration (all other configuration is per-site): | |
7 | # log a log facility for program messages | |
8 | # userid who we try to run as after setup | |
9 | # pidfile | |
10 | system { | |
11 | userid "secnet"; | |
12 | pidfile "/var/run/secnet.pid"; | |
13 | }; | |
14 | ||
15 | # Parameters for each remote site (arguments to the site() closure): | |
16 | # things we configure locally | |
17 | # buffer buffer for constructing/sending/receiving packets | |
18 | # netlink user/kernel netlink device for this tunnel | |
19 | # comm UDP communication | |
20 | # resolver resolver to use for name lookups | |
21 | # log a log destination for this connection | |
22 | # log-events string list: which events we log | |
23 | # random a source of randomness | |
24 | ||
25 | # our local configuration visible to the outside world | |
26 | # local-name string: how we identify ourselves to them | |
27 | # local-key our own private RSA key | |
28 | # local-port port number we listen on | |
29 | ||
30 | # their configuration visible to us | |
31 | # name string: how they identify themselves | |
32 | # address string: use with resolver to find their IP address | |
33 | # networks string list: their networks for us | |
34 | # key the remote site's RSA public key | |
35 | # port port we send to to contact remote site | |
36 | ||
37 | # things both ends must agree on | |
38 | # transform routine for bulk encryption | |
39 | # dh Diffie-Hellman parameters | |
40 | # hash secure hash function | |
41 | ||
42 | # things both ends ought to agree on, but don't have to | |
43 | # key-lifetime max session key lifetime, in milliseconds | |
44 | # setup-retries max retransmits of a key setup packet | |
45 | # setup-timeout wait between retransmits of key setup packets, in ms | |
46 | # wait-time wait between unsuccessful key setup attempts, in ms | |
9d3a4132 | 47 | # renegotiate-time set up a new key if we see any traffic after this time |
df1b18fc SE |
48 | |
49 | # Use the universal TUN/TAP driver to get packets to and from the kernel | |
59635212 | 50 | # (use tun-old if you are not on Linux-2.4) |
df1b18fc SE |
51 | netlink tun { |
52 | name "netlink-tun"; # Printed in log messages from this netlink | |
53 | # interface "tun0"; # You may set your own interface name if you wish; | |
54 | # if you don't one will be chosen for you. | |
55 | ||
56 | # local networks served by this netlink device | |
57 | # incoming tunneled packets for other networks will be discarded | |
58 | networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; | |
59 | local-address "192.168.x.x"; # IP address of host's tunnel interface | |
60 | secnet-address "192.168.x.x"; # IP address of this secnet | |
61 | ||
62 | # MTU of the tunnel interface. Should be kept under the path-MTU | |
63 | # (by at least 60 bytes) between this secnet and its peers for | |
64 | # optimum performance. | |
65 | mtu 1400; | |
66 | ||
67 | # This buffer is used to pass incoming packets onto the 'site' | |
68 | # module. It should be at least as big as the MTU plus 60 bytes. | |
69 | # Buffers can sometimes be shared between netlink devices - see | |
70 | # full documentation for more details. (XXX TODO) | |
71 | buffer sysbuffer(2048); | |
72 | }; | |
73 | ||
74 | # Alternatively (or additionally, if you like) use userv-ipif to get | |
75 | # packets to and from the kernel. | |
76 | #netlink userv-ipif { | |
77 | # name "netlink-userv-ipif"; | |
78 | # # userv-path "/usr/bin/userv"; | |
79 | # # service-user "root"; | |
80 | # # service-name "ipif"; | |
81 | # networks "whatever"; | |
82 | # local-address "whatever"; | |
83 | # secnet-address "whatever"; | |
84 | # mtu 1400; | |
85 | # buffer sysbuffer(2048); | |
86 | #}; | |
87 | ||
88 | # This defines the port that this instance of secnet will listen on, and | |
89 | # originate packets on. It does not _have_ to correspond to the advertised | |
90 | # port for your site: you may be doing network address translation, for | |
91 | # example. You need to arrange that any UDP packets sent to the advertised | |
92 | # host and port for your site end up on this machine at the port you | |
93 | # specify here. | |
94 | comm udp { | |
95 | port xxxx; | |
96 | buffer sysbuffer(4096); | |
97 | }; | |
98 | ||
99 | # The resolver is used to look up IP addresses from the DNS names provided | |
100 | # in the sites file. You may specify an alternative resolv.conf for | |
101 | # ADNS here if you wish. | |
102 | resolver adns { | |
103 | # config=readfile("/etc/secnet/adns.conf"); | |
104 | }; | |
105 | ||
106 | # log is defined earlier - we share it with the system | |
9d3a4132 SE |
107 | log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", |
108 | "security"; | |
df1b18fc SE |
109 | |
110 | # A source of random bits for nonces and session keys. The 'no' specifies | |
111 | # that it's non-blocking. XXX 'yes' isn't implemented yet. | |
112 | random randomfile("/dev/urandom",no); | |
113 | ||
114 | local-name "your-site-name"; | |
115 | local-key rsa-private("/etc/secnet/key"); | |
116 | ||
117 | # On dodgy links you may want to specify a higher maximum sequence number skew | |
118 | transform serpent256-cbc { | |
119 | max-sequence-skew 10; | |
120 | }; | |
121 | ||
122 | include /etc/secnet/sites | |
123 | ||
124 | # Here you must list all the VPN sites that you wish to communicate with. | |
125 | # The /etc/secnet/sites file contains information on all reachable sites; | |
126 | # if the site you want to communicate with isn't listed, you should get | |
127 | # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it | |
128 | # contains public keys for all sites. | |
129 | ||
130 | sites | |
131 | site(example-vpn/some-site), | |
132 | site(example-vpn/some-other-site), | |
133 | site(example-vpn/a-third-site); | |
9d3a4132 SE |
134 | |
135 | # If you want to communicate with all the VPN sites, you can use something | |
136 | # like the following instead: | |
137 | ||
138 | # sites map(site,makelist(example-vpn)); |