| 1 | # secnet example configuration file |
| 2 | |
| 3 | # Log facility |
| 4 | log syslog { |
| 5 | ident "secnet"; |
| 6 | facility "local0"; |
| 7 | }; |
| 8 | |
| 9 | # Alternatively you could log to a file: |
| 10 | # log logfile { |
| 11 | # filename "/var/log/secnet"; |
| 12 | # class "info","notice","warning","error","security","fatal"; |
| 13 | # # There are some useful message classes that could replace |
| 14 | # # this list: |
| 15 | # # 'default' -> warning,error,security,fatal |
| 16 | # # 'verbose' -> info,notice,default |
| 17 | # # 'quiet' -> fatal |
| 18 | # }; |
| 19 | |
| 20 | # Systemwide configuration (all other configuration is per-site): |
| 21 | # log a log facility for program messages |
| 22 | # userid who we try to run as after setup |
| 23 | # pidfile |
| 24 | system { |
| 25 | userid "secnet"; |
| 26 | pidfile "/var/run/secnet.pid"; |
| 27 | }; |
| 28 | |
| 29 | # Parameters for each remote site (arguments to the site() closure): |
| 30 | # things we configure locally |
| 31 | # buffer buffer for constructing/sending/receiving packets |
| 32 | # netlink user/kernel netlink device for this tunnel |
| 33 | # comm UDP communication |
| 34 | # resolver resolver to use for name lookups |
| 35 | # log a log destination for this connection |
| 36 | # log-events string list: which events we log |
| 37 | # random a source of randomness |
| 38 | |
| 39 | # our local configuration visible to the outside world |
| 40 | # local-name string: how we identify ourselves to them |
| 41 | # local-key our own private RSA key |
| 42 | # local-port port number we listen on |
| 43 | |
| 44 | # their configuration visible to us |
| 45 | # name string: how they identify themselves |
| 46 | # address string: use with resolver to find their IP address |
| 47 | # networks string list: their networks for us |
| 48 | # key the remote site's RSA public key |
| 49 | # port port we send to to contact remote site |
| 50 | |
| 51 | # things both ends must agree on |
| 52 | # transform routine for bulk encryption |
| 53 | # dh Diffie-Hellman parameters |
| 54 | # hash secure hash function |
| 55 | |
| 56 | # things both ends ought to agree on, but don't have to |
| 57 | # key-lifetime max session key lifetime, in milliseconds |
| 58 | # setup-retries max retransmits of a key setup packet |
| 59 | # setup-timeout wait between retransmits of key setup packets, in ms |
| 60 | # wait-time wait between unsuccessful key setup attempts, in ms |
| 61 | # renegotiate-time set up a new key if we see any traffic after this time |
| 62 | |
| 63 | setup-retries 10; |
| 64 | setup-timeout 2000; |
| 65 | |
| 66 | # Use the universal TUN/TAP driver to get packets to and from the kernel |
| 67 | # (use tun-old if you are not on Linux-2.4) |
| 68 | netlink tun { |
| 69 | name "netlink-tun"; # Printed in log messages from this netlink |
| 70 | # interface "tun0"; # You may set your own interface name if you wish; |
| 71 | # if you don't one will be chosen for you. |
| 72 | |
| 73 | # local networks served by this netlink device |
| 74 | # incoming tunneled packets for other networks will be discarded |
| 75 | networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; |
| 76 | local-address "192.168.x.x"; # IP address of host's tunnel interface |
| 77 | secnet-address "192.168.x.x"; # IP address of this secnet |
| 78 | |
| 79 | # MTU of the tunnel interface. Should be kept under the path-MTU |
| 80 | # (by at least 60 bytes) between this secnet and its peers for |
| 81 | # optimum performance. |
| 82 | mtu 1400; |
| 83 | |
| 84 | # This buffer is used to pass incoming packets onto the 'site' |
| 85 | # module. It should be at least as big as the MTU plus 60 bytes. |
| 86 | # Buffers can sometimes be shared between netlink devices - see |
| 87 | # full documentation for more details. (XXX TODO) |
| 88 | buffer sysbuffer(2048); |
| 89 | }; |
| 90 | |
| 91 | # Alternatively (or additionally, if you like) use userv-ipif to get |
| 92 | # packets to and from the kernel. |
| 93 | #netlink userv-ipif { |
| 94 | # name "netlink-userv-ipif"; |
| 95 | # # userv-path "/usr/bin/userv"; |
| 96 | # # service-user "root"; |
| 97 | # # service-name "ipif"; |
| 98 | # networks "whatever"; |
| 99 | # local-address "whatever"; |
| 100 | # secnet-address "whatever"; |
| 101 | # mtu 1400; |
| 102 | # buffer sysbuffer(2048); |
| 103 | #}; |
| 104 | |
| 105 | # This defines the port that this instance of secnet will listen on, and |
| 106 | # originate packets on. It does not _have_ to correspond to the advertised |
| 107 | # port for your site: you may be doing network address translation, for |
| 108 | # example. You need to arrange that any UDP packets sent to the advertised |
| 109 | # host and port for your site end up on this machine at the port you |
| 110 | # specify here. |
| 111 | comm udp { |
| 112 | port xxxx; |
| 113 | buffer sysbuffer(4096); |
| 114 | }; |
| 115 | |
| 116 | # The resolver is used to look up IP addresses from the DNS names provided |
| 117 | # in the sites file. You may specify an alternative resolv.conf for |
| 118 | # ADNS here if you wish. |
| 119 | resolver adns { |
| 120 | # config=readfile("/etc/secnet/adns.conf"); |
| 121 | }; |
| 122 | |
| 123 | # log is defined earlier - we share it with the system |
| 124 | log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", |
| 125 | "security"; |
| 126 | |
| 127 | # A source of random bits for nonces and session keys. The 'no' specifies |
| 128 | # that it's non-blocking. XXX 'yes' isn't implemented yet. |
| 129 | random randomfile("/dev/urandom",no); |
| 130 | |
| 131 | # If you're using the make-secnet-sites.py script then your local-name |
| 132 | # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister" |
| 133 | local-name "your-site-name"; |
| 134 | local-key rsa-private("/etc/secnet/key"); |
| 135 | |
| 136 | # On dodgy links you may want to specify a higher maximum sequence number skew |
| 137 | transform serpent256-cbc { |
| 138 | max-sequence-skew 10; |
| 139 | }; |
| 140 | |
| 141 | include /etc/secnet/sites.conf |
| 142 | |
| 143 | # Here you must list all the VPN sites that you wish to communicate with. |
| 144 | # The /etc/secnet/sites file contains information on all reachable sites; |
| 145 | # if the site you want to communicate with isn't listed, you should get |
| 146 | # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it |
| 147 | # contains public keys for all sites. |
| 148 | |
| 149 | sites |
| 150 | site(vpn-data/example/location1/site1), |
| 151 | site(vpn-data/example/location2/site1), |
| 152 | site(vpn-data/example/location2/site2); |
| 153 | |
| 154 | # If you want to communicate with all the VPN sites, you can use something |
| 155 | # like the following instead: |
| 156 | |
| 157 | # sites map(site,vpn/example/all-sites); |
| 158 | |
| 159 | # If you want to communicate with a subset of locations, try the following: |
| 160 | |
| 161 | # sites map(site,vpn/example/location1,vpn/example/location2); |