Commit | Line | Data |
---|---|---|
6005ef9b MW |
1 | ;;; -*-conf-windows-*- |
2 | ;;; | |
3 | ;;; Peers description file | |
4 | ;;; | |
288fc12b MW |
5 | ;;; New installations will clobber this file. Therefore you're best off not |
6 | ;;; editing this file directly; instead, drop a file containing your | |
7 | ;;; overridden settings alongside. | |
6005ef9b MW |
8 | |
9 | ;;;-------------------------------------------------------------------------- | |
10 | ;;; Global defaults. | |
11 | ;;; | |
12 | ;;; The paramaters here affect all peer definitions. It mainly contains | |
13 | ;;; information about the local site. You will need to customize it. | |
14 | ||
15 | [@GLOBAL] | |
16 | ||
17 | ;; domain: the domain name for your VPN; used to form default tunnel | |
18 | ;; addresses. | |
19 | domain = vpn.example.com | |
20 | ||
21 | ;; myhost: my (internal) host name; used by the default laddr. | |
22 | myhost = thishost | |
23 | ||
24 | ;; laddr: the local address for point-to-point interfaces. | |
25 | laddr = $[$(myhost).$(domain)] | |
26 | ||
27 | ;; raddr: the remote address for point-to-point interfaces. | |
28 | raddr = $[$(name).$(domain)] | |
29 | ||
30 | ;; ifname: the name to set on point-to-point interfaces. | |
31 | ifname = vpn-$(name) | |
32 | ||
33 | ;; ifup: script to set up a tunnel interface ready for use. The installed | |
34 | ;; script is good for Linux hosts. | |
35 | ifup = /usr/sbin/tripe-ifup | |
36 | ||
6005ef9b MW |
37 | ;;;-------------------------------------------------------------------------- |
38 | ;;; Active-peers defaults. | |
39 | ;;; | |
40 | ;;; The parameters here affect both active and dynamic connections. The | |
41 | ;;; defaults should be good for most sites, though you may wish to add extra | |
42 | ;;; settings. | |
43 | ||
44 | [@ACTIVE] | |
45 | @inherit = @GLOBAL | |
46 | ||
47 | ;; port: the port on which the peer's tripe(8) daemon is running. The | |
48 | ;; default is the port officially allocated by IANA. | |
49 | port = 4070 | |
50 | ||
51 | ;; host: the external host name (or dotted-quad IP address) of the host | |
52 | ;; running tripe(8). This should be overridden explicitly in each peer | |
53 | ;; definition. | |
54 | host = override-me | |
55 | ||
56 | ;; peer: the address specification (see tripe-admin(5)) to use to connect to | |
57 | ;; the remote peer. | |
58 | peer = INET $[$(host)] $(port) | |
59 | ||
067aa5f0 MW |
60 | ;; ephemeral: whether to send the peer a disconnection notification, or |
61 | ;; react to one from the peer. | |
62 | ephemeral = nil | |
63 | ||
6005ef9b | 64 | ;;;-------------------------------------------------------------------------- |
02c99524 MW |
65 | ;;; Temporary association defaults. |
66 | ;;; | |
67 | ;;; These are settings common to both dynamic and passive peers. | |
68 | ||
69 | [@WATCH] | |
70 | @inherit = @GLOBAL | |
71 | ||
72 | ;; watch: whether to watch this connection and drop it if it dies. | |
73 | watch = t | |
74 | ||
75 | ;; timeout: how long to wait for a ping response before giving up. | |
76 | timeout = 10s | |
77 | ||
78 | ;; retries: how many ping attempts to make before declaring the connection | |
79 | ;; dead. | |
80 | retries = 5 | |
81 | ||
82 | ;;;-------------------------------------------------------------------------- | |
6005ef9b MW |
83 | ;;; Dynamic-peers defaults. |
84 | ;;; | |
85 | ;;; The parameters here affect peers to whom dynamic connections are made. | |
86 | ;;; The user and connect parameters probably need customizing. | |
87 | ||
067aa5f0 | 88 | [@EPHEMERAL] |
8362ac1c MW |
89 | @inherit = @ACTIVE, @WATCH |
90 | ||
067aa5f0 MW |
91 | ;; ephemeral: whether to send the peer a disconnection notification, or |
92 | ;; react to one from the peer. | |
93 | ephemeral = t | |
8362ac1c MW |
94 | |
95 | ;; every: interval for checking that this connection is alive. | |
96 | every = 30s | |
97 | ||
067aa5f0 MW |
98 | [@KNOCK] |
99 | @inherit = @EPHEMERAL | |
100 | ||
101 | ;; keepalive: how often to send NOP packets to keep the connection alive, at | |
102 | ;; least in the minds of intermediate stateful firewalls and NAT routers. | |
103 | keepalive = 2m | |
104 | ||
8362ac1c MW |
105 | ;; knock: peer-name string to send to the peer. |
106 | knock = $(myhost) | |
107 | ||
6005ef9b | 108 | [@DYNAMIC] |
067aa5f0 | 109 | @inherit = @EPHEMERAL |
6005ef9b MW |
110 | |
111 | ;; cork: whether to wait for a key-exchange packet from the peer before | |
112 | ;; sending one of our own. | |
113 | cork = t | |
114 | ||
115 | ;; ssh-user: user to connect as; used by the connect parameter. | |
116 | ssh-user = tripe | |
117 | ||
118 | ;; connect: shell command to use to wake up the remote peer and establish the | |
119 | ;; connection. | |
d3731285 MW |
120 | connect = ssh -q $(ssh-user)@$[$(host)] hello |
121 | ||
122 | ;; disconnect: shell command to use to shut the remote peer down. | |
123 | disconnect = ssh -q $(ssh-user)@$[$(host)] goodbye | |
6005ef9b MW |
124 | |
125 | ;; keepalive: how often to send NOP packets to keep the connection alive, at | |
126 | ;; least in the minds of intermediate stateful firewalls and NAT routers. | |
127 | keepalive = 2m | |
128 | ||
6005ef9b MW |
129 | ;;;-------------------------------------------------------------------------- |
130 | ;;; Passive-peers defaults. | |
131 | ;;; | |
132 | ;;; The parameters here affect passive peers, i.e., those to whom dynamic | |
133 | ;;; connections are made. The dynamic connection protocol establishes most | |
134 | ;;; of the parameters and these defaults are probably pretty good. | |
135 | ||
136 | [@PASSIVE] | |
77ec571c | 137 | @inherit = @WATCH |
6005ef9b MW |
138 | |
139 | ;; peer: mark this entry as being a passive peer. | |
140 | peer = PASSIVE | |
141 | ||
ff5c5e63 MW |
142 | ;; mobile: mark this peer as likely to change its external address without |
143 | ;; warning. | |
144 | mobile = t | |
145 | ||
6005ef9b MW |
146 | ;; user: the string which the dynamic peer's connect command will present to |
147 | ;; the CONNECT service. | |
148 | user = $(name) | |
149 | ||
02c99524 MW |
150 | ;; every: interval for checking that this connection is alive: should be at |
151 | ;; least twice as long as the dynamic peer interval. | |
152 | every = 5m | |
6005ef9b MW |
153 | |
154 | ;;;----- That's all, folks -------------------------------------------------- |