1 # secnet example configuration file
9 # Alternatively you could log to a file:
11 # filename "/var/log/secnet";
12 # class "info","notice","warning","error","security","fatal";
13 # # There are some useful message classes that could replace
15 # # 'default' -> warning,error,security,fatal
16 # # 'verbose' -> info,notice,default
20 # Systemwide configuration (all other configuration is per-site):
21 # log a log facility for program messages
22 # userid who we try to run as after setup
26 pidfile "/var/run/secnet.pid";
29 # Parameters for each remote site (arguments to the site() closure):
30 # things we configure locally
31 # buffer buffer for constructing/sending/receiving packets
32 # netlink user/kernel netlink device for this tunnel
33 # comm UDP communication
34 # resolver resolver to use for name lookups
35 # log a log destination for this connection
36 # log-events string list: which events we log
37 # random a source of randomness
39 # our local configuration visible to the outside world
40 # local-name string: how we identify ourselves to them
41 # local-key our own private RSA key
42 # local-port port number we listen on
44 # their configuration visible to us
45 # name string: how they identify themselves
46 # address string: use with resolver to find their IP address
47 # networks string list: their networks for us
48 # key the remote site's RSA public key
49 # port port we send to to contact remote site
51 # things both ends must agree on
52 # transform routine for bulk encryption
53 # dh Diffie-Hellman parameters
54 # hash secure hash function
56 # things both ends ought to agree on, but don't have to
57 # key-lifetime max session key lifetime, in milliseconds
58 # setup-retries max retransmits of a key setup packet
59 # setup-timeout wait between retransmits of key setup packets, in ms
60 # wait-time wait between unsuccessful key setup attempts, in ms
61 # renegotiate-time set up a new key if we see any traffic after this time
66 # Use the universal TUN/TAP driver to get packets to and from the kernel
67 # (use tun-old if you are not on Linux-2.4)
69 name "netlink-tun"; # Printed in log messages from this netlink
70 # interface "tun0"; # You may set your own interface name if you wish;
71 # if you don't one will be chosen for you.
72 # device "/dev/net/tun";
74 # local networks served by this netlink device
75 # incoming tunneled packets for other networks will be discarded
76 networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
77 local-address "192.168.x.x"; # IP address of host's tunnel interface
78 secnet-address "192.168.x.x"; # IP address of this secnet
80 # MTU of the tunnel interface. Should be kept under the path-MTU
81 # (by at least 60 bytes) between this secnet and its peers for
82 # optimum performance.
85 # This buffer is used to pass incoming packets onto the 'site'
86 # module. It should be at least as big as the MTU plus 60 bytes.
87 # Buffers can sometimes be shared between netlink devices - see
88 # full documentation for more details. (XXX TODO)
89 buffer sysbuffer(2048);
92 # Alternatively (or additionally, if you like) use userv-ipif to get
93 # packets to and from the kernel.
95 # name "netlink-userv-ipif";
96 # # userv-path "/usr/bin/userv";
97 # # service-user "root";
98 # # service-name "ipif";
99 # networks "whatever";
100 # local-address "whatever";
101 # secnet-address "whatever";
103 # buffer sysbuffer(2048);
106 # This defines the port that this instance of secnet will listen on, and
107 # originate packets on. It does not _have_ to correspond to the advertised
108 # port for your site: you may be doing network address translation, for
109 # example. You need to arrange that any UDP packets sent to the advertised
110 # host and port for your site end up on this machine at the port you
114 buffer sysbuffer(4096);
117 # The resolver is used to look up IP addresses from the DNS names provided
118 # in the sites file. You may specify an alternative resolv.conf for
119 # ADNS here if you wish.
121 # config=readfile("/etc/secnet/adns.conf");
124 # log is defined earlier - we share it with the system
125 log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
128 # A source of random bits for nonces and session keys. The 'no' specifies
129 # that it's non-blocking. XXX 'yes' isn't implemented yet.
130 random randomfile("/dev/urandom",no);
132 # If you're using the make-secnet-sites.py script then your local-name
133 # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
134 local-name "your-site-name";
135 local-key rsa-private("/etc/secnet/key");
137 # On dodgy links you may want to specify a higher maximum sequence number skew
138 transform serpent256-cbc {
139 max-sequence-skew 10;
142 include /etc/secnet/sites.conf
144 # Here you must list all the VPN sites that you wish to communicate with.
145 # The /etc/secnet/sites file contains information on all reachable sites;
146 # if the site you want to communicate with isn't listed, you should get
147 # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
148 # contains public keys for all sites.
151 site(vpn-data/example/location1/site1),
152 site(vpn-data/example/location2/site1),
153 site(vpn-data/example/location2/site2);
155 # If you want to communicate with all the VPN sites, you can use something
156 # like the following instead:
158 # sites map(site,vpn/example/all-sites);
160 # If you want to communicate with a subset of locations, try the following:
162 # sites map(site,vpn/example/location1,vpn/example/location2);
~ianmdlvl / secnet.git / blob