chiark
/
gitweb
/
~ianmdlvl
/
secnet.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
legal: Add missing notice to many files
[secnet.git]
/
example.conf
diff --git
a/example.conf
b/example.conf
index f1d87581e6e7e891ab9bc151068964038c47ee80..d746a56a3a0b5f037bbee6f606fd16780943096d 100644
(file)
--- a/
example.conf
+++ b/
example.conf
@@
-1,5
+1,10
@@
# secnet example configuration file
# secnet example configuration file
+# This file is part of secnet.
+# See LICENCE and this file CREDITS for full list of copyright holders.
+# SPDX-License-Identifier: GPL-3.0-or-later
+# There is NO WARRANTY.
+
# Log facility
# If you use this unaltered you should consider providing automatic log
# rotation for /var/log/secnet. secnet will close and re-open its logfiles
# Log facility
# If you use this unaltered you should consider providing automatic log
# rotation for /var/log/secnet. secnet will close and re-open its logfiles
@@
-67,8
+72,8
@@
system {
# renegotiate-time set up a new key if we see any traffic after this time
# Defaults that may be overridden on a per-site basis:
# renegotiate-time set up a new key if we see any traffic after this time
# Defaults that may be overridden on a per-site basis:
-setup-retries 10;
-setup-timeout 2000;
+
#
setup-retries 10;
+
#
setup-timeout 2000;
# Use the universal TUN/TAP driver to get packets to and from the kernel,
# through a single interface. secnet will act as a router; it requires
# Use the universal TUN/TAP driver to get packets to and from the kernel,
# through a single interface. secnet will act as a router; it requires
@@
-115,6
+120,11
@@
netlink tun {
#mtu 1400;
#buffer sysbuffer(2048);
#mtu 1400;
#buffer sysbuffer(2048);
+# This is small enough that it fits without fragmentation into
+# the foolish wifi on Greater Anglia's now-retired Class 379s.
+# This is good because they mishandle fragmentation.
+mtu-target 1260;
+
# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
@@
-147,8
+157,11
@@
random randomfile("/dev/urandom",no);
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");
+# Are we a mobile site?
+#local-mobile true;
+
# On dodgy links you may want to specify a higher maximum sequence number skew
# On dodgy links you may want to specify a higher maximum sequence number skew
-transform eax-serpent
, serpent256-cbc
;
+transform eax-serpent
{ }, serpent256-cbc { }
;
include /etc/secnet/sites.conf
include /etc/secnet/sites.conf
@@
-160,7
+173,10
@@
include /etc/secnet/sites.conf
# If you want to communicate with all the VPN sites, you can use something
# like the following:
# If you want to communicate with all the VPN sites, you can use something
# like the following:
-sites map(site,vpn/example/all-sites);
+sites map(site,all-sites);
+
+# Or with a particular VPN
+#sites map(site,vpn/Vexample/all-sites);
# If you only want to communicate with a subset of the VPN sites, list
# them explicitly:
# If you only want to communicate with a subset of the VPN sites, list
# them explicitly: