# secnet example configuration file
+# This file is part of secnet.
+# See LICENCE and this file CREDITS for full list of copyright holders.
+# SPDX-License-Identifier: GPL-3.0-or-later
+# There is NO WARRANTY.
+
# Log facility
# If you use this unaltered you should consider providing automatic log
# rotation for /var/log/secnet. secnet will close and re-open its logfiles
# renegotiate-time set up a new key if we see any traffic after this time
# Defaults that may be overridden on a per-site basis:
-setup-retries 10;
-setup-timeout 2000;
+#setup-retries 10;
+#setup-timeout 2000;
# Use the universal TUN/TAP driver to get packets to and from the kernel,
# through a single interface. secnet will act as a router; it requires
#mtu 1400;
#buffer sysbuffer(2048);
+# This is small enough that it fits without fragmentation into
+# the foolish wifi on Greater Anglia's now-retired Class 379s.
+# This is good because they mishandle fragmentation.
+mtu-target 1260;
+
# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");
+# Are we a mobile site?
+#local-mobile true;
+
# On dodgy links you may want to specify a higher maximum sequence number skew
-transform eax-serpent, serpent256-cbc;
+transform eax-serpent { }, serpent256-cbc { };
include /etc/secnet/sites.conf
# If you want to communicate with all the VPN sites, you can use something
# like the following:
-sites map(site,vpn/example/all-sites);
+sites map(site,all-sites);
+
+# Or with a particular VPN
+#sites map(site,vpn/Vexample/all-sites);
# If you only want to communicate with a subset of the VPN sites, list
# them explicitly: