Commit | Line | Data |
---|---|---|
df1b18fc SE |
1 | # secnet example configuration file |
2 | ||
3 | # Log facility | |
3b83c932 SE |
4 | # If you use this unaltered you should consider providing automatic log |
5 | # rotation for /var/log/secnet. secnet will close and re-open its logfiles | |
6 | # when it receives SIGHUP. | |
d3fe100d SE |
7 | log logfile { |
8 | filename "/var/log/secnet"; | |
9 | class "info","notice","warning","error","security","fatal"; | |
10 | # There are some useful message classes that could replace | |
11 | # this list: | |
12 | # 'default' -> warning,error,security,fatal | |
13 | # 'verbose' -> info,notice,default | |
14 | # 'quiet' -> fatal | |
b2a56f7c SE |
15 | }; |
16 | ||
3b83c932 | 17 | # Alternatively you could log through syslog: |
d3fe100d SE |
18 | # log syslog { |
19 | # ident "secnet"; | |
20 | # facility "local0"; | |
b2a56f7c | 21 | # }; |
df1b18fc | 22 | |
d3fe100d | 23 | |
df1b18fc SE |
24 | # Systemwide configuration (all other configuration is per-site): |
25 | # log a log facility for program messages | |
26 | # userid who we try to run as after setup | |
27 | # pidfile | |
28 | system { | |
3b83c932 SE |
29 | # Note that you should not specify 'userid' here unless secnet |
30 | # is being invoked as root. | |
df1b18fc SE |
31 | userid "secnet"; |
32 | pidfile "/var/run/secnet.pid"; | |
33 | }; | |
34 | ||
35 | # Parameters for each remote site (arguments to the site() closure): | |
36 | # things we configure locally | |
37 | # buffer buffer for constructing/sending/receiving packets | |
38 | # netlink user/kernel netlink device for this tunnel | |
39 | # comm UDP communication | |
40 | # resolver resolver to use for name lookups | |
41 | # log a log destination for this connection | |
42 | # log-events string list: which events we log | |
43 | # random a source of randomness | |
44 | ||
45 | # our local configuration visible to the outside world | |
46 | # local-name string: how we identify ourselves to them | |
47 | # local-key our own private RSA key | |
48 | # local-port port number we listen on | |
49 | ||
50 | # their configuration visible to us | |
51 | # name string: how they identify themselves | |
52 | # address string: use with resolver to find their IP address | |
53 | # networks string list: their networks for us | |
54 | # key the remote site's RSA public key | |
55 | # port port we send to to contact remote site | |
56 | ||
57 | # things both ends must agree on | |
58 | # transform routine for bulk encryption | |
59 | # dh Diffie-Hellman parameters | |
60 | # hash secure hash function | |
61 | ||
62 | # things both ends ought to agree on, but don't have to | |
63 | # key-lifetime max session key lifetime, in milliseconds | |
64 | # setup-retries max retransmits of a key setup packet | |
65 | # setup-timeout wait between retransmits of key setup packets, in ms | |
66 | # wait-time wait between unsuccessful key setup attempts, in ms | |
9d3a4132 | 67 | # renegotiate-time set up a new key if we see any traffic after this time |
df1b18fc | 68 | |
3b83c932 | 69 | # Defaults that may be overridden on a per-site basis: |
c6f79b17 SE |
70 | setup-retries 10; |
71 | setup-timeout 2000; | |
72 | ||
3b83c932 SE |
73 | # Use the universal TUN/TAP driver to get packets to and from the kernel, |
74 | # through a single interface. secnet will act as a router; it requires | |
75 | # its own IP address which is specified below (you'll see it on traceroute, | |
76 | # etc. for routes that go via tunnels). If you don't want secnet to act | |
77 | # as a router, and instead want a separate kernel network interface per | |
78 | # tunnel, then see the alternative configuration below | |
79 | ||
80 | # If you want to use userv-ipif to manage interfaces then replace the | |
81 | # word "tun" with "userv-ipif". | |
df1b18fc SE |
82 | netlink tun { |
83 | name "netlink-tun"; # Printed in log messages from this netlink | |
84 | # interface "tun0"; # You may set your own interface name if you wish; | |
85 | # if you don't one will be chosen for you. | |
469fd1d9 | 86 | # device "/dev/net/tun"; |
df1b18fc | 87 | |
df1b18fc SE |
88 | local-address "192.168.x.x"; # IP address of host's tunnel interface |
89 | secnet-address "192.168.x.x"; # IP address of this secnet | |
90 | ||
d3fe100d SE |
91 | # Tunnels are only allowed to use these networks; attempts to |
92 | # claim IP addresses in any other ranges is a configuration error | |
4f5e39ec | 93 | remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"; |
d3fe100d | 94 | |
df1b18fc SE |
95 | # MTU of the tunnel interface. Should be kept under the path-MTU |
96 | # (by at least 60 bytes) between this secnet and its peers for | |
97 | # optimum performance. | |
98 | mtu 1400; | |
99 | ||
100 | # This buffer is used to pass incoming packets onto the 'site' | |
101 | # module. It should be at least as big as the MTU plus 60 bytes. | |
102 | # Buffers can sometimes be shared between netlink devices - see | |
103 | # full documentation for more details. (XXX TODO) | |
104 | buffer sysbuffer(2048); | |
105 | }; | |
106 | ||
3b83c932 SE |
107 | # This alternative configuration allows you to create one kernel network |
108 | # interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT | |
109 | # WORK WITH "userv-ipif". This is because "tun" can share a single | |
110 | # buffer between multiple network interfaces, but userv-ipif can't. | |
111 | # To use userv-ipif in this style, process the sites.conf file so that | |
112 | # each "netlink" section contains a "buffer sysbuffer(2048);" line. | |
113 | #netlink tun; | |
114 | #local-address "192.168.x.x"; # Address of local interfaces - all the same | |
115 | #mtu 1400; | |
116 | #buffer sysbuffer(2048); | |
117 | ||
df1b18fc SE |
118 | |
119 | # This defines the port that this instance of secnet will listen on, and | |
120 | # originate packets on. It does not _have_ to correspond to the advertised | |
121 | # port for your site: you may be doing network address translation, for | |
122 | # example. You need to arrange that any UDP packets sent to the advertised | |
123 | # host and port for your site end up on this machine at the port you | |
124 | # specify here. | |
125 | comm udp { | |
469fd1d9 | 126 | port 410; |
df1b18fc SE |
127 | buffer sysbuffer(4096); |
128 | }; | |
129 | ||
130 | # The resolver is used to look up IP addresses from the DNS names provided | |
131 | # in the sites file. You may specify an alternative resolv.conf for | |
132 | # ADNS here if you wish. | |
133 | resolver adns { | |
134 | # config=readfile("/etc/secnet/adns.conf"); | |
135 | }; | |
136 | ||
137 | # log is defined earlier - we share it with the system | |
9d3a4132 SE |
138 | log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", |
139 | "security"; | |
df1b18fc SE |
140 | |
141 | # A source of random bits for nonces and session keys. The 'no' specifies | |
142 | # that it's non-blocking. XXX 'yes' isn't implemented yet. | |
143 | random randomfile("/dev/urandom",no); | |
144 | ||
d3fe100d | 145 | # If you're using the make-secnet-sites script then your local-name |
c6f79b17 | 146 | # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister" |
df1b18fc SE |
147 | local-name "your-site-name"; |
148 | local-key rsa-private("/etc/secnet/key"); | |
149 | ||
150 | # On dodgy links you may want to specify a higher maximum sequence number skew | |
5b5f297f | 151 | transform eax-serpent, serpent256-cbc; |
df1b18fc | 152 | |
08f344d3 | 153 | include /etc/secnet/sites.conf |
df1b18fc | 154 | |
df1b18fc SE |
155 | # The /etc/secnet/sites file contains information on all reachable sites; |
156 | # if the site you want to communicate with isn't listed, you should get | |
157 | # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it | |
158 | # contains public keys for all sites. | |
159 | ||
9d3a4132 | 160 | # If you want to communicate with all the VPN sites, you can use something |
3b83c932 | 161 | # like the following: |
9d3a4132 | 162 | |
3b83c932 SE |
163 | sites map(site,vpn/example/all-sites); |
164 | ||
165 | # If you only want to communicate with a subset of the VPN sites, list | |
166 | # them explicitly: | |
167 | ||
168 | # sites map(site, | |
169 | # vpn-data/example/location1/site1, | |
170 | # vpn-data/example/location2/site1, | |
171 | # vpn-data/example/location2/site2); | |
08f344d3 SE |
172 | |
173 | # If you want to communicate with a subset of locations, try the following: | |
174 | ||
175 | # sites map(site,vpn/example/location1,vpn/example/location2); | |
3b83c932 | 176 | |
c215a4bc IJ |
177 | # This file is placed in the public domain (insofar as possible.) |
178 | # Authors: Stephen Early, Ian Jackson |