X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=example.conf;h=d6908ff7c820c0b13b0c9e798d0e1c72b7b13f93;hp=634467c9e6c12a3279daa40617c52dc50367bca5;hb=59938e0ed0c8ac267c3715a25a0a3ed27f7a7e47;hpb=4f5e39ecfaa49376b0a5c3a4c384e91a828c1105 diff --git a/example.conf b/example.conf index 634467c..d6908ff 100644 --- a/example.conf +++ b/example.conf @@ -1,6 +1,9 @@ # secnet example configuration file # Log facility +# If you use this unaltered you should consider providing automatic log +# rotation for /var/log/secnet. secnet will close and re-open its logfiles +# when it receives SIGHUP. log logfile { filename "/var/log/secnet"; class "info","notice","warning","error","security","fatal"; @@ -11,7 +14,7 @@ log logfile { # 'quiet' -> fatal }; -# Alternatively you could log to syslog: +# Alternatively you could log through syslog: # log syslog { # ident "secnet"; # facility "local0"; @@ -23,6 +26,8 @@ log logfile { # userid who we try to run as after setup # pidfile system { + # Note that you should not specify 'userid' here unless secnet + # is being invoked as root. userid "secnet"; pidfile "/var/run/secnet.pid"; }; @@ -61,10 +66,19 @@ system { # wait-time wait between unsuccessful key setup attempts, in ms # renegotiate-time set up a new key if we see any traffic after this time +# Defaults that may be overridden on a per-site basis: setup-retries 10; setup-timeout 2000; -# Use the universal TUN/TAP driver to get packets to and from the kernel +# Use the universal TUN/TAP driver to get packets to and from the kernel, +# through a single interface. secnet will act as a router; it requires +# its own IP address which is specified below (you'll see it on traceroute, +# etc. for routes that go via tunnels). If you don't want secnet to act +# as a router, and instead want a separate kernel network interface per +# tunnel, then see the alternative configuration below + +# If you want to use userv-ipif to manage interfaces then replace the +# word "tun" with "userv-ipif". netlink tun { name "netlink-tun"; # Printed in log messages from this netlink # interface "tun0"; # You may set your own interface name if you wish; @@ -90,19 +104,17 @@ netlink tun { buffer sysbuffer(2048); }; -# Alternatively (or additionally, if you like) use userv-ipif to get -# packets to and from the kernel. -#netlink userv-ipif { -# name "netlink-userv-ipif"; -# # userv-path "/usr/bin/userv"; -# # service-user "root"; -# # service-name "ipif"; -# networks "whatever"; -# local-address "whatever"; -# secnet-address "whatever"; -# mtu 1400; -# buffer sysbuffer(2048); -#}; +# This alternative configuration allows you to create one kernel network +# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT +# WORK WITH "userv-ipif". This is because "tun" can share a single +# buffer between multiple network interfaces, but userv-ipif can't. +# To use userv-ipif in this style, process the sites.conf file so that +# each "netlink" section contains a "buffer sysbuffer(2048);" line. +#netlink tun; +#local-address "192.168.x.x"; # Address of local interfaces - all the same +#mtu 1400; +#buffer sysbuffer(2048); + # This defines the port that this instance of secnet will listen on, and # originate packets on. It does not _have_ to correspond to the advertised @@ -142,22 +154,25 @@ transform serpent256-cbc { include /etc/secnet/sites.conf -# Here you must list all the VPN sites that you wish to communicate with. # The /etc/secnet/sites file contains information on all reachable sites; # if the site you want to communicate with isn't listed, you should get # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it # contains public keys for all sites. -sites map(site, - vpn-data/example/location1/site1, - vpn-data/example/location2/site1, - vpn-data/example/location2/site2); - # If you want to communicate with all the VPN sites, you can use something -# like the following instead: +# like the following: -# sites map(site,vpn/example/all-sites); +sites map(site,vpn/example/all-sites); + +# If you only want to communicate with a subset of the VPN sites, list +# them explicitly: + +# sites map(site, +# vpn-data/example/location1/site1, +# vpn-data/example/location2/site1, +# vpn-data/example/location2/site2); # If you want to communicate with a subset of locations, try the following: # sites map(site,vpn/example/location1,vpn/example/location2); +