# secnet example configuration file
# Log facility
+# If you use this unaltered you should consider providing automatic log
+# rotation for /var/log/secnet. secnet will close and re-open its logfiles
+# when it receives SIGHUP.
log logfile {
filename "/var/log/secnet";
class "info","notice","warning","error","security","fatal";
# 'quiet' -> fatal
};
-# Alternatively you could log to syslog:
+# Alternatively you could log through syslog:
# log syslog {
# ident "secnet";
# facility "local0";
# userid who we try to run as after setup
# pidfile
system {
+ # Note that you should not specify 'userid' here unless secnet
+ # is being invoked as root.
userid "secnet";
pidfile "/var/run/secnet.pid";
};
# wait-time wait between unsuccessful key setup attempts, in ms
# renegotiate-time set up a new key if we see any traffic after this time
+# Defaults that may be overridden on a per-site basis:
setup-retries 10;
setup-timeout 2000;
-# Use the universal TUN/TAP driver to get packets to and from the kernel
-# (use tun-old if you are not on Linux-2.4)
+# Use the universal TUN/TAP driver to get packets to and from the kernel,
+# through a single interface. secnet will act as a router; it requires
+# its own IP address which is specified below (you'll see it on traceroute,
+# etc. for routes that go via tunnels). If you don't want secnet to act
+# as a router, and instead want a separate kernel network interface per
+# tunnel, then see the alternative configuration below
+
+# If you want to use userv-ipif to manage interfaces then replace the
+# word "tun" with "userv-ipif".
netlink tun {
name "netlink-tun"; # Printed in log messages from this netlink
# interface "tun0"; # You may set your own interface name if you wish;
# if you don't one will be chosen for you.
# device "/dev/net/tun";
- # local networks served by this netlink device
- # incoming tunneled packets for other networks will be discarded
- networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
local-address "192.168.x.x"; # IP address of host's tunnel interface
secnet-address "192.168.x.x"; # IP address of this secnet
# Tunnels are only allowed to use these networks; attempts to
# claim IP addresses in any other ranges is a configuration error
- remote-networks "192.168.0.0/24", "172.16.0.0/12", "10.0.0.0/8";
+ remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
# MTU of the tunnel interface. Should be kept under the path-MTU
# (by at least 60 bytes) between this secnet and its peers for
buffer sysbuffer(2048);
};
-# Alternatively (or additionally, if you like) use userv-ipif to get
-# packets to and from the kernel.
-#netlink userv-ipif {
-# name "netlink-userv-ipif";
-# # userv-path "/usr/bin/userv";
-# # service-user "root";
-# # service-name "ipif";
-# networks "whatever";
-# local-address "whatever";
-# secnet-address "whatever";
-# mtu 1400;
-# buffer sysbuffer(2048);
-#};
+# This alternative configuration allows you to create one kernel network
+# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT
+# WORK WITH "userv-ipif". This is because "tun" can share a single
+# buffer between multiple network interfaces, but userv-ipif can't.
+# To use userv-ipif in this style, process the sites.conf file so that
+# each "netlink" section contains a "buffer sysbuffer(2048);" line.
+#netlink tun;
+#local-address "192.168.x.x"; # Address of local interfaces - all the same
+#mtu 1400;
+#buffer sysbuffer(2048);
+
# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
local-key rsa-private("/etc/secnet/key");
# On dodgy links you may want to specify a higher maximum sequence number skew
-transform serpent256-cbc {
- max-sequence-skew 10;
-};
+transform eax-serpent, serpent256-cbc;
include /etc/secnet/sites.conf
-# Here you must list all the VPN sites that you wish to communicate with.
# The /etc/secnet/sites file contains information on all reachable sites;
# if the site you want to communicate with isn't listed, you should get
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.
-sites
- site(vpn-data/example/location1/site1),
- site(vpn-data/example/location2/site1),
- site(vpn-data/example/location2/site2);
-
# If you want to communicate with all the VPN sites, you can use something
-# like the following instead:
+# like the following:
-# sites map(site,vpn/example/all-sites);
+sites map(site,vpn/example/all-sites);
+
+# If you only want to communicate with a subset of the VPN sites, list
+# them explicitly:
+
+# sites map(site,
+# vpn-data/example/location1/site1,
+# vpn-data/example/location2/site1,
+# vpn-data/example/location2/site2);
# If you want to communicate with a subset of locations, try the following:
# sites map(site,vpn/example/location1,vpn/example/location2);
+