| 1 | INSTALLATION INSTRUCTIONS for SECNET |
| 2 | |
| 3 | USE AT YOUR OWN RISK. THIS IS ALPHA TEST SOFTWARE. I DO NOT |
| 4 | GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT |
| 5 | VERSIONS. |
| 6 | |
| 7 | * Preparation |
| 8 | |
| 9 | ** System software support |
| 10 | |
| 11 | Ensure that you have libgmp2-dev and adns installed (and bison and |
| 12 | flex, and for that matter gcc...). |
| 13 | |
| 14 | [On BSD install /usr/ports/devel/bison] |
| 15 | |
| 16 | If you intend to configure secnet to obtain packets from the kernel |
| 17 | through userv-ipif, install and configure userv-ipif. It is part of |
| 18 | userv-utils, available from ftp.chiark.greenend.org.uk in |
| 19 | /users/ian/userv |
| 20 | |
| 21 | If you intend to configure secnet to obtain packets from the kernel |
| 22 | using the universal TUN/TAP driver, make sure it's configured in your |
| 23 | kernel (it's under "network device support" in Linux-2.4) and that |
| 24 | you've created the appropriate device files; see |
| 25 | linux/Documentation/networking/tuntap.txt |
| 26 | |
| 27 | If you're using TUN/TAP on a platform other than Linux-2.4, see |
| 28 | http://vtun.sourceforge.net/tun/ |
| 29 | |
| 30 | ** System and network configuration |
| 31 | |
| 32 | If you intend to start secnet as root, I suggest you create a userid |
| 33 | for it to run as once it's ready to drop its privileges. Example (on |
| 34 | Debian): |
| 35 | # adduser --system --no-create-home secnet |
| 36 | |
| 37 | If you're using the 'soft routes' feature (for some classes of mobile |
| 38 | device) you'll have to run as root all the time, to enable secnet to |
| 39 | add and remove routes from your kernel's routing table. (This |
| 40 | restriction may be relaxed later if someone writes a userv service to |
| 41 | modify the routing table.) |
| 42 | |
| 43 | If you are joining an existing VPN, read that VPN's documentation now. |
| 44 | It may supersede the next paragraph. |
| 45 | |
| 46 | In most configurations, you will need to allocate two IP addresses for |
| 47 | use by secnet. One will be for the tunnel interface on your tunnel |
| 48 | endpoint machine (i.e. the address you see in 'ifconfig' when you look |
| 49 | at the tunnel interface). The other will be for secnet itself. These |
| 50 | addresses should probably be allocated from the range used by your |
| 51 | internal network: if you do this, you should provide appropriate |
| 52 | proxy-ARP on the internal network interface of the machine running |
| 53 | secnet (eg. add an entry net/ipv4/conf/eth_whatever/proxy_arp = 1 to |
| 54 | /etc/sysctl.conf on Debian systems and run sysctl -p). Alternatively |
| 55 | the addresses could be from some other range - this works well if the |
| 56 | machine running secnet is the default route out of your network - but |
| 57 | this requires more thought. |
| 58 | |
| 59 | http://www.ucam.org/cam-grin/ may be useful. |
| 60 | |
| 61 | * Installation |
| 62 | |
| 63 | If you installed the Debian package of secnet, skip to "If installing |
| 64 | for the first time", below, and note that example.conf can be found in |
| 65 | /usr/share/doc/secnet/examples. |
| 66 | |
| 67 | To install secnet do |
| 68 | |
| 69 | $ ./configure |
| 70 | $ make |
| 71 | # make install |
| 72 | # mkdir /etc/secnet |
| 73 | |
| 74 | (Note: you may see the following warning while compiling |
| 75 | conffile.tab.c; this is a bug in bison-1.28: |
| 76 | /usr/share/bison/bison.simple: In function `yyparse': |
| 77 | /usr/share/bison/bison.simple:285: warning: `yyval' might be used |
| 78 | uninitialized in this function |
| 79 | |
| 80 | You may if you wish apply the following patch to bison.simple: |
| 81 | diff -pu -r1.28.0.1 -r1.28.0.3 |
| 82 | --- bison.s1 1999/08/30 19:23:24 1.28.0.1 |
| 83 | +++ bison.s1 1999/08/30 21:15:18 1.28.0.3 |
| 84 | @@ -523,8 +523,14 @@ yydefault: |
| 85 | /* Do a reduction. yyn is the number of a rule to reduce with. */ |
| 86 | yyreduce: |
| 87 | yylen = yyr2[yyn]; |
| 88 | - if (yylen > 0) |
| 89 | - yyval = yyvsp[1-yylen]; /* implement default value of the action */ |
| 90 | + |
| 91 | + /* If yylen is nonzero, implement the default value of the action. |
| 92 | + Otherwise, the following line sets yyval to the semantic value of |
| 93 | + the lookahead token. This behavior is undocumented and bison |
| 94 | + users should not rely upon it. Assigning to yyval |
| 95 | + unconditionally makes the parser a bit smaller, and it avoids a |
| 96 | + GCC warning that yyval may be used uninitialized. */ |
| 97 | + yyval = yyvsp[1-yylen]; |
| 98 | |
| 99 | #if YYDEBUG != 0 |
| 100 | if (yydebug) |
| 101 | ) |
| 102 | |
| 103 | Any other warnings or errors should be reported to |
| 104 | steve@greenend.org.uk. |
| 105 | |
| 106 | If installing for the first time, do |
| 107 | |
| 108 | # cp example.conf /etc/secnet/secnet.conf |
| 109 | # cd /etc/secnet |
| 110 | # ssh-keygen -f key -t rsa1 -N "" |
| 111 | |
| 112 | [On BSD use |
| 113 | $ LDFLAGS="-L/usr/local/lib" ./configure |
| 114 | $ gmake CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" |
| 115 | XXX this should eventually be worked out automatically by 'configure'.] |
| 116 | |
| 117 | Generate a site file fragment for your site (see your VPN's |
| 118 | documentation, or see below), and submit it for inclusion in your |
| 119 | VPN's 'sites' file. Download the vpn-sites file to /etc/secnet/sites |
| 120 | - MAKE SURE YOU GET AN AUTHENTIC COPY because the sites file contains |
| 121 | public keys for all the sites in the VPN. Use the make-secnet-sites |
| 122 | program provided with the secnet distribution to convert the |
| 123 | distributed sites file into one that can be included in a secnet |
| 124 | configuration file: |
| 125 | |
| 126 | # make-secnet-sites /etc/secnet/sites /etc/secnet/sites.conf |
| 127 | |
| 128 | * Configuration |
| 129 | |
| 130 | Should be reasonably obvious - edit /etc/secnet/secnet.conf as |
| 131 | prompted by the comments in example.conf. XXX Fuller documentation of |
| 132 | the configuration file format should be forthcoming in time. Its |
| 133 | syntax is described in the README file at the moment. |
| 134 | |
| 135 | * Constructing your site file fragment |
| 136 | |
| 137 | You need the following information: |
| 138 | |
| 139 | 1. the name of your VPN. |
| 140 | |
| 141 | 2. the name of your location(s). |
| 142 | |
| 143 | 3. a short name for your site, eg. "sinister". This is used to |
| 144 | identify your site in the vpn-sites file, and should probably be the |
| 145 | same as its hostname. |
| 146 | |
| 147 | 4. the DNS name of the machine that will be the "front-end" for your |
| 148 | secnet installation. This will typically be the name of the gateway |
| 149 | machine for your network, eg. sinister.dynamic.greenend.org.uk |
| 150 | |
| 151 | secnet does not actually have to run on this machine, as long as the |
| 152 | machine can be configured to forward UDP packets to the machine that |
| 153 | is running secnet. |
| 154 | |
| 155 | 5. the port number used to contact secnet at your site. This is the |
| 156 | port number on the front-end machine, and does not necessarily have to |
| 157 | match the port number on the machine running secnet. If you want to |
| 158 | use a privileged port number we suggest 410. An appropriate |
| 159 | unprivileged port number is 51396. |
| 160 | |
| 161 | 6. the list of networks accessible at your site over the VPN. |
| 162 | |
| 163 | 7. the public part of the RSA key you generated during installation |
| 164 | (in /etc/secnet/key.pub if you followed the installation |
| 165 | instructions). This file contains three numbers and a comment on one |
| 166 | line. |
| 167 | |
| 168 | If you are running secnet on a particularly slow machine, you may like |
| 169 | to specify a larger value for the key setup retry timeout than the |
| 170 | default, to prevent unnecessary retransmissions of key setup packets. |
| 171 | See the notes in the example configuration file for more on this. |
| 172 | |
| 173 | The site file fragment should look something like this: |
| 174 | |
| 175 | vpn sgo |
| 176 | location greenend |
| 177 | contact steve@greenend.org.uk |
| 178 | site sinister |
| 179 | networks 192.168.73.0/24 192.168.1.0/24 172.19.71.0/24 |
| 180 | address sinister.dynamic.greenend.org.uk 51396 |
| 181 | pubkey 1024 35 142982503......[lots more].....0611 steve@sinister |