# secnet example configuration file # Log facility # If you use this unaltered you should consider providing automatic log # rotation for /var/log/secnet. secnet will close and re-open its logfiles # when it receives SIGHUP. log logfile { filename "/var/log/secnet"; class "info","notice","warning","error","security","fatal"; # There are some useful message classes that could replace # this list: # 'default' -> warning,error,security,fatal # 'verbose' -> info,notice,default # 'quiet' -> fatal }; # Alternatively you could log through syslog: # log syslog { # ident "secnet"; # facility "local0"; # }; # Systemwide configuration (all other configuration is per-site): # log a log facility for program messages # userid who we try to run as after setup # pidfile system { # Note that you should not specify 'userid' here unless secnet # is being invoked as root. userid "secnet"; pidfile "/var/run/secnet.pid"; }; # Parameters for each remote site (arguments to the site() closure): # things we configure locally # buffer buffer for constructing/sending/receiving packets # netlink user/kernel netlink device for this tunnel # comm UDP communication # resolver resolver to use for name lookups # log a log destination for this connection # log-events string list: which events we log # random a source of randomness # our local configuration visible to the outside world # local-name string: how we identify ourselves to them # local-key our own private RSA key # local-port port number we listen on # their configuration visible to us # name string: how they identify themselves # address string: use with resolver to find their IP address # networks string list: their networks for us # key the remote site's RSA public key # port port we send to to contact remote site # things both ends must agree on # transform routine for bulk encryption # dh Diffie-Hellman parameters # hash secure hash function # things both ends ought to agree on, but don't have to # key-lifetime max session key lifetime, in milliseconds # setup-retries max retransmits of a key setup packet # setup-timeout wait between retransmits of key setup packets, in ms # wait-time wait between unsuccessful key setup attempts, in ms # renegotiate-time set up a new key if we see any traffic after this time # Defaults that may be overridden on a per-site basis: setup-retries 10; setup-timeout 2000; # Use the universal TUN/TAP driver to get packets to and from the kernel, # through a single interface. secnet will act as a router; it requires # its own IP address which is specified below (you'll see it on traceroute, # etc. for routes that go via tunnels). If you don't want secnet to act # as a router, and instead want a separate kernel network interface per # tunnel, then see the alternative configuration below # If you want to use userv-ipif to manage interfaces then replace the # word "tun" with "userv-ipif". netlink tun { name "netlink-tun"; # Printed in log messages from this netlink # interface "tun0"; # You may set your own interface name if you wish; # if you don't one will be chosen for you. # device "/dev/net/tun"; local-address "192.168.x.x"; # IP address of host's tunnel interface secnet-address "192.168.x.x"; # IP address of this secnet # Tunnels are only allowed to use these networks; attempts to # claim IP addresses in any other ranges is a configuration error remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"; # MTU of the tunnel interface. Should be kept under the path-MTU # (by at least 60 bytes) between this secnet and its peers for # optimum performance. mtu 1400; # This buffer is used to pass incoming packets onto the 'site' # module. It should be at least as big as the MTU plus 60 bytes. # Buffers can sometimes be shared between netlink devices - see # full documentation for more details. (XXX TODO) buffer sysbuffer(2048); }; # This alternative configuration allows you to create one kernel network # interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT # WORK WITH "userv-ipif". This is because "tun" can share a single # buffer between multiple network interfaces, but userv-ipif can't. # To use userv-ipif in this style, process the sites.conf file so that # each "netlink" section contains a "buffer sysbuffer(2048);" line. #netlink tun; #local-address "192.168.x.x"; # Address of local interfaces - all the same #mtu 1400; #buffer sysbuffer(2048); # This defines the port that this instance of secnet will listen on, and # originate packets on. It does not _have_ to correspond to the advertised # port for your site: you may be doing network address translation, for # example. You need to arrange that any UDP packets sent to the advertised # host and port for your site end up on this machine at the port you # specify here. comm udp { port 410; buffer sysbuffer(4096); }; # The resolver is used to look up IP addresses from the DNS names provided # in the sites file. You may specify an alternative resolv.conf for # ADNS here if you wish. resolver adns { # config=readfile("/etc/secnet/adns.conf"); }; # log is defined earlier - we share it with the system log-events "setup-init","setup-timeout","activate-key","timeout-key","errors", "security"; # A source of random bits for nonces and session keys. The 'no' specifies # that it's non-blocking. XXX 'yes' isn't implemented yet. random randomfile("/dev/urandom",no); # If you're using the make-secnet-sites script then your local-name # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister" local-name "your-site-name"; local-key rsa-private("/etc/secnet/key"); # On dodgy links you may want to specify a higher maximum sequence number skew transform eax-serpent, serpent256-cbc; include /etc/secnet/sites.conf # The /etc/secnet/sites file contains information on all reachable sites; # if the site you want to communicate with isn't listed, you should get # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it # contains public keys for all sites. # If you want to communicate with all the VPN sites, you can use something # like the following: sites map(site,vpn/example/all-sites); # If you only want to communicate with a subset of the VPN sites, list # them explicitly: # sites map(site, # vpn-data/example/location1/site1, # vpn-data/example/location2/site1, # vpn-data/example/location2/site2); # If you want to communicate with a subset of locations, try the following: # sites map(site,vpn/example/location1,vpn/example/location2);