| 1 | # secnet example configuration file |
| 2 | |
| 3 | # Log facility |
| 4 | # If you use this unaltered you should consider providing automatic log |
| 5 | # rotation for /var/log/secnet. secnet will close and re-open its logfiles |
| 6 | # when it receives SIGHUP. |
| 7 | log logfile { |
| 8 | filename "/var/log/secnet"; |
| 9 | class "info","notice","warning","error","security","fatal"; |
| 10 | # There are some useful message classes that could replace |
| 11 | # this list: |
| 12 | # 'default' -> warning,error,security,fatal |
| 13 | # 'verbose' -> info,notice,default |
| 14 | # 'quiet' -> fatal |
| 15 | }; |
| 16 | |
| 17 | # Alternatively you could log through syslog: |
| 18 | # log syslog { |
| 19 | # ident "secnet"; |
| 20 | # facility "local0"; |
| 21 | # }; |
| 22 | |
| 23 | |
| 24 | # Systemwide configuration (all other configuration is per-site): |
| 25 | # log a log facility for program messages |
| 26 | # userid who we try to run as after setup |
| 27 | # pidfile |
| 28 | system { |
| 29 | # Note that you should not specify 'userid' here unless secnet |
| 30 | # is being invoked as root. |
| 31 | userid "secnet"; |
| 32 | pidfile "/var/run/secnet.pid"; |
| 33 | }; |
| 34 | |
| 35 | # Parameters for each remote site (arguments to the site() closure): |
| 36 | # things we configure locally |
| 37 | # buffer buffer for constructing/sending/receiving packets |
| 38 | # netlink user/kernel netlink device for this tunnel |
| 39 | # comm UDP communication |
| 40 | # resolver resolver to use for name lookups |
| 41 | # log a log destination for this connection |
| 42 | # log-events string list: which events we log |
| 43 | # random a source of randomness |
| 44 | |
| 45 | # our local configuration visible to the outside world |
| 46 | # local-name string: how we identify ourselves to them |
| 47 | # local-key our own private RSA key |
| 48 | # local-port port number we listen on |
| 49 | |
| 50 | # their configuration visible to us |
| 51 | # name string: how they identify themselves |
| 52 | # address string: use with resolver to find their IP address |
| 53 | # networks string list: their networks for us |
| 54 | # key the remote site's RSA public key |
| 55 | # port port we send to to contact remote site |
| 56 | |
| 57 | # things both ends must agree on |
| 58 | # transform routine for bulk encryption |
| 59 | # dh Diffie-Hellman parameters |
| 60 | # hash secure hash function |
| 61 | |
| 62 | # things both ends ought to agree on, but don't have to |
| 63 | # key-lifetime max session key lifetime, in milliseconds |
| 64 | # setup-retries max retransmits of a key setup packet |
| 65 | # setup-timeout wait between retransmits of key setup packets, in ms |
| 66 | # wait-time wait between unsuccessful key setup attempts, in ms |
| 67 | # renegotiate-time set up a new key if we see any traffic after this time |
| 68 | |
| 69 | # Defaults that may be overridden on a per-site basis: |
| 70 | setup-retries 10; |
| 71 | setup-timeout 2000; |
| 72 | |
| 73 | # Use the universal TUN/TAP driver to get packets to and from the kernel, |
| 74 | # through a single interface. secnet will act as a router; it requires |
| 75 | # its own IP address which is specified below (you'll see it on traceroute, |
| 76 | # etc. for routes that go via tunnels). If you don't want secnet to act |
| 77 | # as a router, and instead want a separate kernel network interface per |
| 78 | # tunnel, then see the alternative configuration below |
| 79 | |
| 80 | # If you want to use userv-ipif to manage interfaces then replace the |
| 81 | # word "tun" with "userv-ipif". |
| 82 | netlink tun { |
| 83 | name "netlink-tun"; # Printed in log messages from this netlink |
| 84 | # interface "tun0"; # You may set your own interface name if you wish; |
| 85 | # if you don't one will be chosen for you. |
| 86 | # device "/dev/net/tun"; |
| 87 | |
| 88 | local-address "192.168.x.x"; # IP address of host's tunnel interface |
| 89 | secnet-address "192.168.x.x"; # IP address of this secnet |
| 90 | |
| 91 | # Tunnels are only allowed to use these networks; attempts to |
| 92 | # claim IP addresses in any other ranges is a configuration error |
| 93 | remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"; |
| 94 | |
| 95 | # MTU of the tunnel interface. Should be kept under the path-MTU |
| 96 | # (by at least 60 bytes) between this secnet and its peers for |
| 97 | # optimum performance. |
| 98 | mtu 1400; |
| 99 | |
| 100 | # This buffer is used to pass incoming packets onto the 'site' |
| 101 | # module. It should be at least as big as the MTU plus 60 bytes. |
| 102 | # Buffers can sometimes be shared between netlink devices - see |
| 103 | # full documentation for more details. (XXX TODO) |
| 104 | buffer sysbuffer(2048); |
| 105 | }; |
| 106 | |
| 107 | # This alternative configuration allows you to create one kernel network |
| 108 | # interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT |
| 109 | # WORK WITH "userv-ipif". This is because "tun" can share a single |
| 110 | # buffer between multiple network interfaces, but userv-ipif can't. |
| 111 | # To use userv-ipif in this style, process the sites.conf file so that |
| 112 | # each "netlink" section contains a "buffer sysbuffer(2048);" line. |
| 113 | #netlink tun; |
| 114 | #local-address "192.168.x.x"; # Address of local interfaces - all the same |
| 115 | #mtu 1400; |
| 116 | #buffer sysbuffer(2048); |
| 117 | |
| 118 | |
| 119 | # This defines the port that this instance of secnet will listen on, and |
| 120 | # originate packets on. It does not _have_ to correspond to the advertised |
| 121 | # port for your site: you may be doing network address translation, for |
| 122 | # example. You need to arrange that any UDP packets sent to the advertised |
| 123 | # host and port for your site end up on this machine at the port you |
| 124 | # specify here. |
| 125 | comm udp { |
| 126 | port 410; |
| 127 | buffer sysbuffer(4096); |
| 128 | }; |
| 129 | |
| 130 | # The resolver is used to look up IP addresses from the DNS names provided |
| 131 | # in the sites file. You may specify an alternative resolv.conf for |
| 132 | # ADNS here if you wish. |
| 133 | resolver adns { |
| 134 | # config=readfile("/etc/secnet/adns.conf"); |
| 135 | }; |
| 136 | |
| 137 | # log is defined earlier - we share it with the system |
| 138 | log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", |
| 139 | "security"; |
| 140 | |
| 141 | # A source of random bits for nonces and session keys. The 'no' specifies |
| 142 | # that it's non-blocking. XXX 'yes' isn't implemented yet. |
| 143 | random randomfile("/dev/urandom",no); |
| 144 | |
| 145 | # If you're using the make-secnet-sites script then your local-name |
| 146 | # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister" |
| 147 | local-name "your-site-name"; |
| 148 | local-key rsa-private("/etc/secnet/key"); |
| 149 | |
| 150 | # On dodgy links you may want to specify a higher maximum sequence number skew |
| 151 | transform eax-serpent, serpent256-cbc; |
| 152 | |
| 153 | include /etc/secnet/sites.conf |
| 154 | |
| 155 | # The /etc/secnet/sites file contains information on all reachable sites; |
| 156 | # if the site you want to communicate with isn't listed, you should get |
| 157 | # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it |
| 158 | # contains public keys for all sites. |
| 159 | |
| 160 | # If you want to communicate with all the VPN sites, you can use something |
| 161 | # like the following: |
| 162 | |
| 163 | sites map(site,vpn/example/all-sites); |
| 164 | |
| 165 | # If you only want to communicate with a subset of the VPN sites, list |
| 166 | # them explicitly: |
| 167 | |
| 168 | # sites map(site, |
| 169 | # vpn-data/example/location1/site1, |
| 170 | # vpn-data/example/location2/site1, |
| 171 | # vpn-data/example/location2/site2); |
| 172 | |
| 173 | # If you want to communicate with a subset of locations, try the following: |
| 174 | |
| 175 | # sites map(site,vpn/example/location1,vpn/example/location2); |
| 176 | |