X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=example.conf;h=d6908ff7c820c0b13b0c9e798d0e1c72b7b13f93;hp=b6d5dc2818845caafd01df1032f490f4a67ef7fc;hb=263cda0978685f36a149deac8a32c3d382101dd3;hpb=d3fe100dfc120244d316e083ce87b1eb130fe4fd diff --git a/example.conf b/example.conf index b6d5dc2..d6908ff 100644 --- a/example.conf +++ b/example.conf @@ -1,6 +1,9 @@ # secnet example configuration file # Log facility +# If you use this unaltered you should consider providing automatic log +# rotation for /var/log/secnet. secnet will close and re-open its logfiles +# when it receives SIGHUP. log logfile { filename "/var/log/secnet"; class "info","notice","warning","error","security","fatal"; @@ -11,7 +14,7 @@ log logfile { # 'quiet' -> fatal }; -# Alternatively you could log to syslog: +# Alternatively you could log through syslog: # log syslog { # ident "secnet"; # facility "local0"; @@ -23,6 +26,8 @@ log logfile { # userid who we try to run as after setup # pidfile system { + # Note that you should not specify 'userid' here unless secnet + # is being invoked as root. userid "secnet"; pidfile "/var/run/secnet.pid"; }; @@ -61,26 +66,31 @@ system { # wait-time wait between unsuccessful key setup attempts, in ms # renegotiate-time set up a new key if we see any traffic after this time +# Defaults that may be overridden on a per-site basis: setup-retries 10; setup-timeout 2000; -# Use the universal TUN/TAP driver to get packets to and from the kernel -# (use tun-old if you are not on Linux-2.4) +# Use the universal TUN/TAP driver to get packets to and from the kernel, +# through a single interface. secnet will act as a router; it requires +# its own IP address which is specified below (you'll see it on traceroute, +# etc. for routes that go via tunnels). If you don't want secnet to act +# as a router, and instead want a separate kernel network interface per +# tunnel, then see the alternative configuration below + +# If you want to use userv-ipif to manage interfaces then replace the +# word "tun" with "userv-ipif". netlink tun { name "netlink-tun"; # Printed in log messages from this netlink # interface "tun0"; # You may set your own interface name if you wish; # if you don't one will be chosen for you. # device "/dev/net/tun"; - # local networks served by this netlink device - # incoming tunneled packets for other networks will be discarded - networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; local-address "192.168.x.x"; # IP address of host's tunnel interface secnet-address "192.168.x.x"; # IP address of this secnet # Tunnels are only allowed to use these networks; attempts to # claim IP addresses in any other ranges is a configuration error - remote-networks "192.168.0.0/24", "172.16.0.0/12", "10.0.0.0/8"; + remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"; # MTU of the tunnel interface. Should be kept under the path-MTU # (by at least 60 bytes) between this secnet and its peers for @@ -94,19 +104,17 @@ netlink tun { buffer sysbuffer(2048); }; -# Alternatively (or additionally, if you like) use userv-ipif to get -# packets to and from the kernel. -#netlink userv-ipif { -# name "netlink-userv-ipif"; -# # userv-path "/usr/bin/userv"; -# # service-user "root"; -# # service-name "ipif"; -# networks "whatever"; -# local-address "whatever"; -# secnet-address "whatever"; -# mtu 1400; -# buffer sysbuffer(2048); -#}; +# This alternative configuration allows you to create one kernel network +# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT +# WORK WITH "userv-ipif". This is because "tun" can share a single +# buffer between multiple network interfaces, but userv-ipif can't. +# To use userv-ipif in this style, process the sites.conf file so that +# each "netlink" section contains a "buffer sysbuffer(2048);" line. +#netlink tun; +#local-address "192.168.x.x"; # Address of local interfaces - all the same +#mtu 1400; +#buffer sysbuffer(2048); + # This defines the port that this instance of secnet will listen on, and # originate packets on. It does not _have_ to correspond to the advertised @@ -146,22 +154,25 @@ transform serpent256-cbc { include /etc/secnet/sites.conf -# Here you must list all the VPN sites that you wish to communicate with. # The /etc/secnet/sites file contains information on all reachable sites; # if the site you want to communicate with isn't listed, you should get # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it # contains public keys for all sites. -sites - site(vpn-data/example/location1/site1), - site(vpn-data/example/location2/site1), - site(vpn-data/example/location2/site2); - # If you want to communicate with all the VPN sites, you can use something -# like the following instead: +# like the following: -# sites map(site,vpn/example/all-sites); +sites map(site,vpn/example/all-sites); + +# If you only want to communicate with a subset of the VPN sites, list +# them explicitly: + +# sites map(site, +# vpn-data/example/location1/site1, +# vpn-data/example/location2/site1, +# vpn-data/example/location2/site2); # If you want to communicate with a subset of locations, try the following: # sites map(site,vpn/example/location1,vpn/example/location2); +