# secnet example configuration file
# Log facility
-log logfile("secnet","local2"); # Not yet implemented, goes to stderr
+# If you use this unaltered you should consider providing automatic log
+# rotation for /var/log/secnet. secnet will close and re-open its logfiles
+# when it receives SIGHUP.
+log logfile {
+ filename "/var/log/secnet";
+ class "info","notice","warning","error","security","fatal";
+ # There are some useful message classes that could replace
+ # this list:
+ # 'default' -> warning,error,security,fatal
+ # 'verbose' -> info,notice,default
+ # 'quiet' -> fatal
+};
+
+# Alternatively you could log through syslog:
+# log syslog {
+# ident "secnet";
+# facility "local0";
+# };
+
# Systemwide configuration (all other configuration is per-site):
# log a log facility for program messages
# userid who we try to run as after setup
# pidfile
system {
+ # Note that you should not specify 'userid' here unless secnet
+ # is being invoked as root.
userid "secnet";
pidfile "/var/run/secnet.pid";
};
# setup-retries max retransmits of a key setup packet
# setup-timeout wait between retransmits of key setup packets, in ms
# wait-time wait between unsuccessful key setup attempts, in ms
+# renegotiate-time set up a new key if we see any traffic after this time
+
+# Defaults that may be overridden on a per-site basis:
+setup-retries 10;
+setup-timeout 2000;
-# Use the universal TUN/TAP driver to get packets to and from the kernel
+# Use the universal TUN/TAP driver to get packets to and from the kernel,
+# through a single interface. secnet will act as a router; it requires
+# its own IP address which is specified below (you'll see it on traceroute,
+# etc. for routes that go via tunnels). If you don't want secnet to act
+# as a router, and instead want a separate kernel network interface per
+# tunnel, then see the alternative configuration below
+
+# If you want to use userv-ipif to manage interfaces then replace the
+# word "tun" with "userv-ipif".
netlink tun {
name "netlink-tun"; # Printed in log messages from this netlink
# interface "tun0"; # You may set your own interface name if you wish;
# if you don't one will be chosen for you.
+# device "/dev/net/tun";
- # local networks served by this netlink device
- # incoming tunneled packets for other networks will be discarded
- networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
local-address "192.168.x.x"; # IP address of host's tunnel interface
secnet-address "192.168.x.x"; # IP address of this secnet
+ # Tunnels are only allowed to use these networks; attempts to
+ # claim IP addresses in any other ranges is a configuration error
+ remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
+
# MTU of the tunnel interface. Should be kept under the path-MTU
# (by at least 60 bytes) between this secnet and its peers for
# optimum performance.
buffer sysbuffer(2048);
};
-# Alternatively (or additionally, if you like) use userv-ipif to get
-# packets to and from the kernel.
-#netlink userv-ipif {
-# name "netlink-userv-ipif";
-# # userv-path "/usr/bin/userv";
-# # service-user "root";
-# # service-name "ipif";
-# networks "whatever";
-# local-address "whatever";
-# secnet-address "whatever";
-# mtu 1400;
-# buffer sysbuffer(2048);
-#};
+# This alternative configuration allows you to create one kernel network
+# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT
+# WORK WITH "userv-ipif". This is because "tun" can share a single
+# buffer between multiple network interfaces, but userv-ipif can't.
+# To use userv-ipif in this style, process the sites.conf file so that
+# each "netlink" section contains a "buffer sysbuffer(2048);" line.
+#netlink tun;
+#local-address "192.168.x.x"; # Address of local interfaces - all the same
+#mtu 1400;
+#buffer sysbuffer(2048);
+
# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
# host and port for your site end up on this machine at the port you
# specify here.
comm udp {
- port xxxx;
+ port 410;
buffer sysbuffer(4096);
};
};
# log is defined earlier - we share it with the system
-log-events "init","up","down"; # XXX not yet used
+log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
+ "security";
# A source of random bits for nonces and session keys. The 'no' specifies
# that it's non-blocking. XXX 'yes' isn't implemented yet.
random randomfile("/dev/urandom",no);
+# If you're using the make-secnet-sites script then your local-name
+# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");
# On dodgy links you may want to specify a higher maximum sequence number skew
-transform serpent256-cbc {
- max-sequence-skew 10;
-};
+transform eax-serpent, serpent256-cbc;
-include /etc/secnet/sites
+include /etc/secnet/sites.conf
-# Here you must list all the VPN sites that you wish to communicate with.
# The /etc/secnet/sites file contains information on all reachable sites;
# if the site you want to communicate with isn't listed, you should get
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.
-sites
- site(example-vpn/some-site),
- site(example-vpn/some-other-site),
- site(example-vpn/a-third-site);
+# If you want to communicate with all the VPN sites, you can use something
+# like the following:
+
+sites map(site,vpn/example/all-sites);
+
+# If you only want to communicate with a subset of the VPN sites, list
+# them explicitly:
+
+# sites map(site,
+# vpn-data/example/location1/site1,
+# vpn-data/example/location2/site1,
+# vpn-data/example/location2/site2);
+
+# If you want to communicate with a subset of locations, try the following:
+
+# sites map(site,vpn/example/location1,vpn/example/location2);
+