Commit | Line | Data |
---|---|---|
6005ef9b MW |
1 | ;;; -*-conf-windows-*- |
2 | ;;; | |
3 | ;;; Peers description file | |
4 | ;;; | |
288fc12b MW |
5 | ;;; New installations will clobber this file. Therefore you're best off not |
6 | ;;; editing this file directly; instead, drop a file containing your | |
7 | ;;; overridden settings alongside. | |
6005ef9b MW |
8 | |
9 | ;;;-------------------------------------------------------------------------- | |
10 | ;;; Global defaults. | |
11 | ;;; | |
12 | ;;; The paramaters here affect all peer definitions. It mainly contains | |
13 | ;;; information about the local site. You will need to customize it. | |
14 | ||
15 | [@GLOBAL] | |
16 | ||
17 | ;; domain: the domain name for your VPN; used to form default tunnel | |
18 | ;; addresses. | |
19 | domain = vpn.example.com | |
20 | ||
21 | ;; myhost: my (internal) host name; used by the default laddr. | |
22 | myhost = thishost | |
23 | ||
24 | ;; laddr: the local address for point-to-point interfaces. | |
25 | laddr = $[$(myhost).$(domain)] | |
26 | ||
27 | ;; raddr: the remote address for point-to-point interfaces. | |
28 | raddr = $[$(name).$(domain)] | |
29 | ||
30 | ;; ifname: the name to set on point-to-point interfaces. | |
31 | ifname = vpn-$(name) | |
32 | ||
33 | ;; ifup: script to set up a tunnel interface ready for use. The installed | |
34 | ;; script is good for Linux hosts. | |
35 | ifup = /usr/sbin/tripe-ifup | |
36 | ||
6005ef9b MW |
37 | ;;;-------------------------------------------------------------------------- |
38 | ;;; Active-peers defaults. | |
39 | ;;; | |
40 | ;;; The parameters here affect both active and dynamic connections. The | |
41 | ;;; defaults should be good for most sites, though you may wish to add extra | |
42 | ;;; settings. | |
43 | ||
44 | [@ACTIVE] | |
45 | @inherit = @GLOBAL | |
46 | ||
47 | ;; port: the port on which the peer's tripe(8) daemon is running. The | |
48 | ;; default is the port officially allocated by IANA. | |
49 | port = 4070 | |
50 | ||
51 | ;; host: the external host name (or dotted-quad IP address) of the host | |
52 | ;; running tripe(8). This should be overridden explicitly in each peer | |
53 | ;; definition. | |
54 | host = override-me | |
55 | ||
56 | ;; peer: the address specification (see tripe-admin(5)) to use to connect to | |
57 | ;; the remote peer. | |
58 | peer = INET $[$(host)] $(port) | |
59 | ||
60 | ;;;-------------------------------------------------------------------------- | |
02c99524 MW |
61 | ;;; Temporary association defaults. |
62 | ;;; | |
63 | ;;; These are settings common to both dynamic and passive peers. | |
64 | ||
65 | [@WATCH] | |
66 | @inherit = @GLOBAL | |
67 | ||
68 | ;; watch: whether to watch this connection and drop it if it dies. | |
69 | watch = t | |
70 | ||
71 | ;; timeout: how long to wait for a ping response before giving up. | |
72 | timeout = 10s | |
73 | ||
74 | ;; retries: how many ping attempts to make before declaring the connection | |
75 | ;; dead. | |
76 | retries = 5 | |
77 | ||
78 | ;;;-------------------------------------------------------------------------- | |
6005ef9b MW |
79 | ;;; Dynamic-peers defaults. |
80 | ;;; | |
81 | ;;; The parameters here affect peers to whom dynamic connections are made. | |
82 | ;;; The user and connect parameters probably need customizing. | |
83 | ||
84 | [@DYNAMIC] | |
02c99524 | 85 | @inherit = @ACTIVE, @WATCH |
6005ef9b MW |
86 | |
87 | ;; cork: whether to wait for a key-exchange packet from the peer before | |
88 | ;; sending one of our own. | |
89 | cork = t | |
90 | ||
91 | ;; ssh-user: user to connect as; used by the connect parameter. | |
92 | ssh-user = tripe | |
93 | ||
94 | ;; connect: shell command to use to wake up the remote peer and establish the | |
95 | ;; connection. | |
d3731285 MW |
96 | connect = ssh -q $(ssh-user)@$[$(host)] hello |
97 | ||
98 | ;; disconnect: shell command to use to shut the remote peer down. | |
99 | disconnect = ssh -q $(ssh-user)@$[$(host)] goodbye | |
6005ef9b MW |
100 | |
101 | ;; keepalive: how often to send NOP packets to keep the connection alive, at | |
102 | ;; least in the minds of intermediate stateful firewalls and NAT routers. | |
103 | keepalive = 2m | |
104 | ||
02c99524 MW |
105 | ;; every: interval for checking that this connection is alive. |
106 | every = 30s | |
6005ef9b MW |
107 | |
108 | ;;;-------------------------------------------------------------------------- | |
109 | ;;; Passive-peers defaults. | |
110 | ;;; | |
111 | ;;; The parameters here affect passive peers, i.e., those to whom dynamic | |
112 | ;;; connections are made. The dynamic connection protocol establishes most | |
113 | ;;; of the parameters and these defaults are probably pretty good. | |
114 | ||
115 | [@PASSIVE] | |
77ec571c | 116 | @inherit = @WATCH |
6005ef9b MW |
117 | |
118 | ;; peer: mark this entry as being a passive peer. | |
119 | peer = PASSIVE | |
120 | ||
ff5c5e63 MW |
121 | ;; mobile: mark this peer as likely to change its external address without |
122 | ;; warning. | |
123 | mobile = t | |
124 | ||
6005ef9b MW |
125 | ;; user: the string which the dynamic peer's connect command will present to |
126 | ;; the CONNECT service. | |
127 | user = $(name) | |
128 | ||
02c99524 MW |
129 | ;; every: interval for checking that this connection is alive: should be at |
130 | ;; least twice as long as the dynamic peer interval. | |
131 | every = 5m | |
6005ef9b MW |
132 | |
133 | ;;;----- That's all, folks -------------------------------------------------- |