# secnet example configuration file
# Log facility
-log logfile("secnet","local2"); # Not yet implemented, goes to stderr
+log logfile {
+ filename "/var/log/secnet";
+ class "info","notice","warning","error","security","fatal";
+ # There are some useful message classes that could replace
+ # this list:
+ # 'default' -> warning,error,security,fatal
+ # 'verbose' -> info,notice,default
+ # 'quiet' -> fatal
+};
+
+# Alternatively you could log to syslog:
+# log syslog {
+# ident "secnet";
+# facility "local0";
+# };
+
# Systemwide configuration (all other configuration is per-site):
# log a log facility for program messages
# setup-retries max retransmits of a key setup packet
# setup-timeout wait between retransmits of key setup packets, in ms
# wait-time wait between unsuccessful key setup attempts, in ms
+# renegotiate-time set up a new key if we see any traffic after this time
+
+setup-retries 10;
+setup-timeout 2000;
# Use the universal TUN/TAP driver to get packets to and from the kernel
netlink tun {
name "netlink-tun"; # Printed in log messages from this netlink
# interface "tun0"; # You may set your own interface name if you wish;
# if you don't one will be chosen for you.
+# device "/dev/net/tun";
- # local networks served by this netlink device
- # incoming tunneled packets for other networks will be discarded
- networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
local-address "192.168.x.x"; # IP address of host's tunnel interface
secnet-address "192.168.x.x"; # IP address of this secnet
+ # Tunnels are only allowed to use these networks; attempts to
+ # claim IP addresses in any other ranges is a configuration error
+ remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
+
# MTU of the tunnel interface. Should be kept under the path-MTU
# (by at least 60 bytes) between this secnet and its peers for
# optimum performance.
# host and port for your site end up on this machine at the port you
# specify here.
comm udp {
- port xxxx;
+ port 410;
buffer sysbuffer(4096);
};
};
# log is defined earlier - we share it with the system
-log-events "init","up","down"; # XXX not yet used
+log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
+ "security";
# A source of random bits for nonces and session keys. The 'no' specifies
# that it's non-blocking. XXX 'yes' isn't implemented yet.
random randomfile("/dev/urandom",no);
+# If you're using the make-secnet-sites script then your local-name
+# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");
max-sequence-skew 10;
};
-include /etc/secnet/sites
+include /etc/secnet/sites.conf
# Here you must list all the VPN sites that you wish to communicate with.
# The /etc/secnet/sites file contains information on all reachable sites;
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.
-# Do not include your own site in this list!
+sites map(site,
+ vpn-data/example/location1/site1,
+ vpn-data/example/location2/site1,
+ vpn-data/example/location2/site2);
+
+# If you want to communicate with all the VPN sites, you can use something
+# like the following instead:
+
+# sites map(site,vpn/example/all-sites);
+
+# If you want to communicate with a subset of locations, try the following:
-sites
- site(example-vpn/some-site),
- site(example-vpn/some-other-site),
- site(example-vpn/a-third-site);
+# sites map(site,vpn/example/location1,vpn/example/location2);