Import release 0.1.14
[secnet] / example.conf
1 # secnet example configuration file
2
3 # Log facility
4 log logfile {
5 filename "/var/log/secnet";
6 class "info","notice","warning","error","security","fatal";
7 # There are some useful message classes that could replace
8 # this list:
9 # 'default' -> warning,error,security,fatal
10 # 'verbose' -> info,notice,default
11 # 'quiet' -> fatal
12 };
13
14 # Alternatively you could log to syslog:
15 # log syslog {
16 # ident "secnet";
17 # facility "local0";
18 # };
19
20
21 # Systemwide configuration (all other configuration is per-site):
22 # log a log facility for program messages
23 # userid who we try to run as after setup
24 # pidfile
25 system {
26 userid "secnet";
27 pidfile "/var/run/secnet.pid";
28 };
29
30 # Parameters for each remote site (arguments to the site() closure):
31 # things we configure locally
32 # buffer buffer for constructing/sending/receiving packets
33 # netlink user/kernel netlink device for this tunnel
34 # comm UDP communication
35 # resolver resolver to use for name lookups
36 # log a log destination for this connection
37 # log-events string list: which events we log
38 # random a source of randomness
39
40 # our local configuration visible to the outside world
41 # local-name string: how we identify ourselves to them
42 # local-key our own private RSA key
43 # local-port port number we listen on
44
45 # their configuration visible to us
46 # name string: how they identify themselves
47 # address string: use with resolver to find their IP address
48 # networks string list: their networks for us
49 # key the remote site's RSA public key
50 # port port we send to to contact remote site
51
52 # things both ends must agree on
53 # transform routine for bulk encryption
54 # dh Diffie-Hellman parameters
55 # hash secure hash function
56
57 # things both ends ought to agree on, but don't have to
58 # key-lifetime max session key lifetime, in milliseconds
59 # setup-retries max retransmits of a key setup packet
60 # setup-timeout wait between retransmits of key setup packets, in ms
61 # wait-time wait between unsuccessful key setup attempts, in ms
62 # renegotiate-time set up a new key if we see any traffic after this time
63
64 setup-retries 10;
65 setup-timeout 2000;
66
67 # Use the universal TUN/TAP driver to get packets to and from the kernel
68 netlink tun {
69 name "netlink-tun"; # Printed in log messages from this netlink
70 # interface "tun0"; # You may set your own interface name if you wish;
71 # if you don't one will be chosen for you.
72 # device "/dev/net/tun";
73
74 local-address "192.168.x.x"; # IP address of host's tunnel interface
75 secnet-address "192.168.x.x"; # IP address of this secnet
76
77 # Tunnels are only allowed to use these networks; attempts to
78 # claim IP addresses in any other ranges is a configuration error
79 remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
80
81 # MTU of the tunnel interface. Should be kept under the path-MTU
82 # (by at least 60 bytes) between this secnet and its peers for
83 # optimum performance.
84 mtu 1400;
85
86 # This buffer is used to pass incoming packets onto the 'site'
87 # module. It should be at least as big as the MTU plus 60 bytes.
88 # Buffers can sometimes be shared between netlink devices - see
89 # full documentation for more details. (XXX TODO)
90 buffer sysbuffer(2048);
91 };
92
93 # Alternatively (or additionally, if you like) use userv-ipif to get
94 # packets to and from the kernel.
95 #netlink userv-ipif {
96 # name "netlink-userv-ipif";
97 # # userv-path "/usr/bin/userv";
98 # # service-user "root";
99 # # service-name "ipif";
100 # networks "whatever";
101 # local-address "whatever";
102 # secnet-address "whatever";
103 # mtu 1400;
104 # buffer sysbuffer(2048);
105 #};
106
107 # This defines the port that this instance of secnet will listen on, and
108 # originate packets on. It does not _have_ to correspond to the advertised
109 # port for your site: you may be doing network address translation, for
110 # example. You need to arrange that any UDP packets sent to the advertised
111 # host and port for your site end up on this machine at the port you
112 # specify here.
113 comm udp {
114 port 410;
115 buffer sysbuffer(4096);
116 };
117
118 # The resolver is used to look up IP addresses from the DNS names provided
119 # in the sites file. You may specify an alternative resolv.conf for
120 # ADNS here if you wish.
121 resolver adns {
122 # config=readfile("/etc/secnet/adns.conf");
123 };
124
125 # log is defined earlier - we share it with the system
126 log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
127 "security";
128
129 # A source of random bits for nonces and session keys. The 'no' specifies
130 # that it's non-blocking. XXX 'yes' isn't implemented yet.
131 random randomfile("/dev/urandom",no);
132
133 # If you're using the make-secnet-sites script then your local-name
134 # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
135 local-name "your-site-name";
136 local-key rsa-private("/etc/secnet/key");
137
138 # On dodgy links you may want to specify a higher maximum sequence number skew
139 transform serpent256-cbc {
140 max-sequence-skew 10;
141 };
142
143 include /etc/secnet/sites.conf
144
145 # Here you must list all the VPN sites that you wish to communicate with.
146 # The /etc/secnet/sites file contains information on all reachable sites;
147 # if the site you want to communicate with isn't listed, you should get
148 # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
149 # contains public keys for all sites.
150
151 sites map(site,
152 vpn-data/example/location1/site1,
153 vpn-data/example/location2/site1,
154 vpn-data/example/location2/site2);
155
156 # If you want to communicate with all the VPN sites, you can use something
157 # like the following instead:
158
159 # sites map(site,vpn/example/all-sites);
160
161 # If you want to communicate with a subset of locations, try the following:
162
163 # sites map(site,vpn/example/location1,vpn/example/location2);