Commit | Line | Data |
---|---|---|
df1b18fc SE |
1 | # secnet example configuration file |
2 | ||
3 | # Log facility | |
b2a56f7c SE |
4 | log syslog { |
5 | ident "secnet"; | |
6 | facility "local0"; | |
7 | }; | |
8 | ||
9 | # Alternatively you could log to a file: | |
10 | # log logfile { | |
11 | # filename "/var/log/secnet"; | |
12 | # class "info","notice","warning","error","security","fatal"; | |
13 | # # There are some useful message classes that could replace | |
14 | # # this list: | |
15 | # # 'default' -> warning,error,security,fatal | |
16 | # # 'verbose' -> info,notice,default | |
17 | # # 'quiet' -> fatal | |
18 | # }; | |
df1b18fc SE |
19 | |
20 | # Systemwide configuration (all other configuration is per-site): | |
21 | # log a log facility for program messages | |
22 | # userid who we try to run as after setup | |
23 | # pidfile | |
24 | system { | |
25 | userid "secnet"; | |
26 | pidfile "/var/run/secnet.pid"; | |
27 | }; | |
28 | ||
29 | # Parameters for each remote site (arguments to the site() closure): | |
30 | # things we configure locally | |
31 | # buffer buffer for constructing/sending/receiving packets | |
32 | # netlink user/kernel netlink device for this tunnel | |
33 | # comm UDP communication | |
34 | # resolver resolver to use for name lookups | |
35 | # log a log destination for this connection | |
36 | # log-events string list: which events we log | |
37 | # random a source of randomness | |
38 | ||
39 | # our local configuration visible to the outside world | |
40 | # local-name string: how we identify ourselves to them | |
41 | # local-key our own private RSA key | |
42 | # local-port port number we listen on | |
43 | ||
44 | # their configuration visible to us | |
45 | # name string: how they identify themselves | |
46 | # address string: use with resolver to find their IP address | |
47 | # networks string list: their networks for us | |
48 | # key the remote site's RSA public key | |
49 | # port port we send to to contact remote site | |
50 | ||
51 | # things both ends must agree on | |
52 | # transform routine for bulk encryption | |
53 | # dh Diffie-Hellman parameters | |
54 | # hash secure hash function | |
55 | ||
56 | # things both ends ought to agree on, but don't have to | |
57 | # key-lifetime max session key lifetime, in milliseconds | |
58 | # setup-retries max retransmits of a key setup packet | |
59 | # setup-timeout wait between retransmits of key setup packets, in ms | |
60 | # wait-time wait between unsuccessful key setup attempts, in ms | |
9d3a4132 | 61 | # renegotiate-time set up a new key if we see any traffic after this time |
df1b18fc | 62 | |
c6f79b17 SE |
63 | setup-retries 10; |
64 | setup-timeout 2000; | |
65 | ||
df1b18fc | 66 | # Use the universal TUN/TAP driver to get packets to and from the kernel |
59635212 | 67 | # (use tun-old if you are not on Linux-2.4) |
df1b18fc SE |
68 | netlink tun { |
69 | name "netlink-tun"; # Printed in log messages from this netlink | |
70 | # interface "tun0"; # You may set your own interface name if you wish; | |
71 | # if you don't one will be chosen for you. | |
469fd1d9 | 72 | # device "/dev/net/tun"; |
df1b18fc SE |
73 | |
74 | # local networks served by this netlink device | |
75 | # incoming tunneled packets for other networks will be discarded | |
76 | networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; | |
77 | local-address "192.168.x.x"; # IP address of host's tunnel interface | |
78 | secnet-address "192.168.x.x"; # IP address of this secnet | |
79 | ||
80 | # MTU of the tunnel interface. Should be kept under the path-MTU | |
81 | # (by at least 60 bytes) between this secnet and its peers for | |
82 | # optimum performance. | |
83 | mtu 1400; | |
84 | ||
85 | # This buffer is used to pass incoming packets onto the 'site' | |
86 | # module. It should be at least as big as the MTU plus 60 bytes. | |
87 | # Buffers can sometimes be shared between netlink devices - see | |
88 | # full documentation for more details. (XXX TODO) | |
89 | buffer sysbuffer(2048); | |
90 | }; | |
91 | ||
92 | # Alternatively (or additionally, if you like) use userv-ipif to get | |
93 | # packets to and from the kernel. | |
94 | #netlink userv-ipif { | |
95 | # name "netlink-userv-ipif"; | |
96 | # # userv-path "/usr/bin/userv"; | |
97 | # # service-user "root"; | |
98 | # # service-name "ipif"; | |
99 | # networks "whatever"; | |
100 | # local-address "whatever"; | |
101 | # secnet-address "whatever"; | |
102 | # mtu 1400; | |
103 | # buffer sysbuffer(2048); | |
104 | #}; | |
105 | ||
106 | # This defines the port that this instance of secnet will listen on, and | |
107 | # originate packets on. It does not _have_ to correspond to the advertised | |
108 | # port for your site: you may be doing network address translation, for | |
109 | # example. You need to arrange that any UDP packets sent to the advertised | |
110 | # host and port for your site end up on this machine at the port you | |
111 | # specify here. | |
112 | comm udp { | |
469fd1d9 | 113 | port 410; |
df1b18fc SE |
114 | buffer sysbuffer(4096); |
115 | }; | |
116 | ||
117 | # The resolver is used to look up IP addresses from the DNS names provided | |
118 | # in the sites file. You may specify an alternative resolv.conf for | |
119 | # ADNS here if you wish. | |
120 | resolver adns { | |
121 | # config=readfile("/etc/secnet/adns.conf"); | |
122 | }; | |
123 | ||
124 | # log is defined earlier - we share it with the system | |
9d3a4132 SE |
125 | log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", |
126 | "security"; | |
df1b18fc SE |
127 | |
128 | # A source of random bits for nonces and session keys. The 'no' specifies | |
129 | # that it's non-blocking. XXX 'yes' isn't implemented yet. | |
130 | random randomfile("/dev/urandom",no); | |
131 | ||
c6f79b17 SE |
132 | # If you're using the make-secnet-sites.py script then your local-name |
133 | # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister" | |
df1b18fc SE |
134 | local-name "your-site-name"; |
135 | local-key rsa-private("/etc/secnet/key"); | |
136 | ||
137 | # On dodgy links you may want to specify a higher maximum sequence number skew | |
138 | transform serpent256-cbc { | |
139 | max-sequence-skew 10; | |
140 | }; | |
141 | ||
08f344d3 | 142 | include /etc/secnet/sites.conf |
df1b18fc SE |
143 | |
144 | # Here you must list all the VPN sites that you wish to communicate with. | |
145 | # The /etc/secnet/sites file contains information on all reachable sites; | |
146 | # if the site you want to communicate with isn't listed, you should get | |
147 | # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it | |
148 | # contains public keys for all sites. | |
149 | ||
150 | sites | |
08f344d3 SE |
151 | site(vpn-data/example/location1/site1), |
152 | site(vpn-data/example/location2/site1), | |
153 | site(vpn-data/example/location2/site2); | |
9d3a4132 SE |
154 | |
155 | # If you want to communicate with all the VPN sites, you can use something | |
156 | # like the following instead: | |
157 | ||
08f344d3 SE |
158 | # sites map(site,vpn/example/all-sites); |
159 | ||
160 | # If you want to communicate with a subset of locations, try the following: | |
161 | ||
162 | # sites map(site,vpn/example/location1,vpn/example/location2); |