| 1 | # secnet example configuration file |
| 2 | |
| 3 | # Log facility |
| 4 | log logfile("secnet","local2"); # Not yet implemented, goes to stderr |
| 5 | |
| 6 | # Systemwide configuration (all other configuration is per-site): |
| 7 | # log a log facility for program messages |
| 8 | # userid who we try to run as after setup |
| 9 | # pidfile |
| 10 | system { |
| 11 | userid "secnet"; |
| 12 | pidfile "/var/run/secnet.pid"; |
| 13 | }; |
| 14 | |
| 15 | # Parameters for each remote site (arguments to the site() closure): |
| 16 | # things we configure locally |
| 17 | # buffer buffer for constructing/sending/receiving packets |
| 18 | # netlink user/kernel netlink device for this tunnel |
| 19 | # comm UDP communication |
| 20 | # resolver resolver to use for name lookups |
| 21 | # log a log destination for this connection |
| 22 | # log-events string list: which events we log |
| 23 | # random a source of randomness |
| 24 | |
| 25 | # our local configuration visible to the outside world |
| 26 | # local-name string: how we identify ourselves to them |
| 27 | # local-key our own private RSA key |
| 28 | # local-port port number we listen on |
| 29 | |
| 30 | # their configuration visible to us |
| 31 | # name string: how they identify themselves |
| 32 | # address string: use with resolver to find their IP address |
| 33 | # networks string list: their networks for us |
| 34 | # key the remote site's RSA public key |
| 35 | # port port we send to to contact remote site |
| 36 | |
| 37 | # things both ends must agree on |
| 38 | # transform routine for bulk encryption |
| 39 | # dh Diffie-Hellman parameters |
| 40 | # hash secure hash function |
| 41 | |
| 42 | # things both ends ought to agree on, but don't have to |
| 43 | # key-lifetime max session key lifetime, in milliseconds |
| 44 | # setup-retries max retransmits of a key setup packet |
| 45 | # setup-timeout wait between retransmits of key setup packets, in ms |
| 46 | # wait-time wait between unsuccessful key setup attempts, in ms |
| 47 | # renegotiate-time set up a new key if we see any traffic after this time |
| 48 | |
| 49 | # Use the universal TUN/TAP driver to get packets to and from the kernel |
| 50 | # (use tun-old if you are not on Linux-2.4) |
| 51 | netlink tun { |
| 52 | name "netlink-tun"; # Printed in log messages from this netlink |
| 53 | # interface "tun0"; # You may set your own interface name if you wish; |
| 54 | # if you don't one will be chosen for you. |
| 55 | |
| 56 | # local networks served by this netlink device |
| 57 | # incoming tunneled packets for other networks will be discarded |
| 58 | networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; |
| 59 | local-address "192.168.x.x"; # IP address of host's tunnel interface |
| 60 | secnet-address "192.168.x.x"; # IP address of this secnet |
| 61 | |
| 62 | # MTU of the tunnel interface. Should be kept under the path-MTU |
| 63 | # (by at least 60 bytes) between this secnet and its peers for |
| 64 | # optimum performance. |
| 65 | mtu 1400; |
| 66 | |
| 67 | # This buffer is used to pass incoming packets onto the 'site' |
| 68 | # module. It should be at least as big as the MTU plus 60 bytes. |
| 69 | # Buffers can sometimes be shared between netlink devices - see |
| 70 | # full documentation for more details. (XXX TODO) |
| 71 | buffer sysbuffer(2048); |
| 72 | }; |
| 73 | |
| 74 | # Alternatively (or additionally, if you like) use userv-ipif to get |
| 75 | # packets to and from the kernel. |
| 76 | #netlink userv-ipif { |
| 77 | # name "netlink-userv-ipif"; |
| 78 | # # userv-path "/usr/bin/userv"; |
| 79 | # # service-user "root"; |
| 80 | # # service-name "ipif"; |
| 81 | # networks "whatever"; |
| 82 | # local-address "whatever"; |
| 83 | # secnet-address "whatever"; |
| 84 | # mtu 1400; |
| 85 | # buffer sysbuffer(2048); |
| 86 | #}; |
| 87 | |
| 88 | # This defines the port that this instance of secnet will listen on, and |
| 89 | # originate packets on. It does not _have_ to correspond to the advertised |
| 90 | # port for your site: you may be doing network address translation, for |
| 91 | # example. You need to arrange that any UDP packets sent to the advertised |
| 92 | # host and port for your site end up on this machine at the port you |
| 93 | # specify here. |
| 94 | comm udp { |
| 95 | port xxxx; |
| 96 | buffer sysbuffer(4096); |
| 97 | }; |
| 98 | |
| 99 | # The resolver is used to look up IP addresses from the DNS names provided |
| 100 | # in the sites file. You may specify an alternative resolv.conf for |
| 101 | # ADNS here if you wish. |
| 102 | resolver adns { |
| 103 | # config=readfile("/etc/secnet/adns.conf"); |
| 104 | }; |
| 105 | |
| 106 | # log is defined earlier - we share it with the system |
| 107 | log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", |
| 108 | "security"; |
| 109 | |
| 110 | # A source of random bits for nonces and session keys. The 'no' specifies |
| 111 | # that it's non-blocking. XXX 'yes' isn't implemented yet. |
| 112 | random randomfile("/dev/urandom",no); |
| 113 | |
| 114 | local-name "your-site-name"; |
| 115 | local-key rsa-private("/etc/secnet/key"); |
| 116 | |
| 117 | # On dodgy links you may want to specify a higher maximum sequence number skew |
| 118 | transform serpent256-cbc { |
| 119 | max-sequence-skew 10; |
| 120 | }; |
| 121 | |
| 122 | include /etc/secnet/sites |
| 123 | |
| 124 | # Here you must list all the VPN sites that you wish to communicate with. |
| 125 | # The /etc/secnet/sites file contains information on all reachable sites; |
| 126 | # if the site you want to communicate with isn't listed, you should get |
| 127 | # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it |
| 128 | # contains public keys for all sites. |
| 129 | |
| 130 | sites |
| 131 | site(example-vpn/some-site), |
| 132 | site(example-vpn/some-other-site), |
| 133 | site(example-vpn/a-third-site); |
| 134 | |
| 135 | # If you want to communicate with all the VPN sites, you can use something |
| 136 | # like the following instead: |
| 137 | |
| 138 | # sites map(site,makelist(example-vpn)); |