1 # secnet example configuration file
5 filename "/var/log/secnet";
6 class "info","notice","warning","error","security","fatal";
7 # There are some useful message classes that could replace
9 # 'default' -> warning,error,security,fatal
10 # 'verbose' -> info,notice,default
14 # Alternatively you could log to syslog:
21 # Systemwide configuration (all other configuration is per-site):
22 # log a log facility for program messages
23 # userid who we try to run as after setup
27 pidfile "/var/run/secnet.pid";
30 # Parameters for each remote site (arguments to the site() closure):
31 # things we configure locally
32 # buffer buffer for constructing/sending/receiving packets
33 # netlink user/kernel netlink device for this tunnel
34 # comm UDP communication
35 # resolver resolver to use for name lookups
36 # log a log destination for this connection
37 # log-events string list: which events we log
38 # random a source of randomness
40 # our local configuration visible to the outside world
41 # local-name string: how we identify ourselves to them
42 # local-key our own private RSA key
43 # local-port port number we listen on
45 # their configuration visible to us
46 # name string: how they identify themselves
47 # address string: use with resolver to find their IP address
48 # networks string list: their networks for us
49 # key the remote site's RSA public key
50 # port port we send to to contact remote site
52 # things both ends must agree on
53 # transform routine for bulk encryption
54 # dh Diffie-Hellman parameters
55 # hash secure hash function
57 # things both ends ought to agree on, but don't have to
58 # key-lifetime max session key lifetime, in milliseconds
59 # setup-retries max retransmits of a key setup packet
60 # setup-timeout wait between retransmits of key setup packets, in ms
61 # wait-time wait between unsuccessful key setup attempts, in ms
62 # renegotiate-time set up a new key if we see any traffic after this time
67 # Use the universal TUN/TAP driver to get packets to and from the kernel
68 # (use tun-old if you are not on Linux-2.4)
70 name "netlink-tun"; # Printed in log messages from this netlink
71 # interface "tun0"; # You may set your own interface name if you wish;
72 # if you don't one will be chosen for you.
73 # device "/dev/net/tun";
75 # local networks served by this netlink device
76 # incoming tunneled packets for other networks will be discarded
77 networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
78 local-address "192.168.x.x"; # IP address of host's tunnel interface
79 secnet-address "192.168.x.x"; # IP address of this secnet
81 # Tunnels are only allowed to use these networks; attempts to
82 # claim IP addresses in any other ranges is a configuration error
83 remote-networks "192.168.0.0/24", "172.16.0.0/12", "10.0.0.0/8";
85 # MTU of the tunnel interface. Should be kept under the path-MTU
86 # (by at least 60 bytes) between this secnet and its peers for
87 # optimum performance.
90 # This buffer is used to pass incoming packets onto the 'site'
91 # module. It should be at least as big as the MTU plus 60 bytes.
92 # Buffers can sometimes be shared between netlink devices - see
93 # full documentation for more details. (XXX TODO)
94 buffer sysbuffer(2048);
97 # Alternatively (or additionally, if you like) use userv-ipif to get
98 # packets to and from the kernel.
100 # name "netlink-userv-ipif";
101 # # userv-path "/usr/bin/userv";
102 # # service-user "root";
103 # # service-name "ipif";
104 # networks "whatever";
105 # local-address "whatever";
106 # secnet-address "whatever";
108 # buffer sysbuffer(2048);
111 # This defines the port that this instance of secnet will listen on, and
112 # originate packets on. It does not _have_ to correspond to the advertised
113 # port for your site: you may be doing network address translation, for
114 # example. You need to arrange that any UDP packets sent to the advertised
115 # host and port for your site end up on this machine at the port you
119 buffer sysbuffer(4096);
122 # The resolver is used to look up IP addresses from the DNS names provided
123 # in the sites file. You may specify an alternative resolv.conf for
124 # ADNS here if you wish.
126 # config=readfile("/etc/secnet/adns.conf");
129 # log is defined earlier - we share it with the system
130 log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
133 # A source of random bits for nonces and session keys. The 'no' specifies
134 # that it's non-blocking. XXX 'yes' isn't implemented yet.
135 random randomfile("/dev/urandom",no);
137 # If you're using the make-secnet-sites script then your local-name
138 # will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
139 local-name "your-site-name";
140 local-key rsa-private("/etc/secnet/key");
142 # On dodgy links you may want to specify a higher maximum sequence number skew
143 transform serpent256-cbc {
144 max-sequence-skew 10;
147 include /etc/secnet/sites.conf
149 # Here you must list all the VPN sites that you wish to communicate with.
150 # The /etc/secnet/sites file contains information on all reachable sites;
151 # if the site you want to communicate with isn't listed, you should get
152 # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
153 # contains public keys for all sites.
156 site(vpn-data/example/location1/site1),
157 site(vpn-data/example/location2/site1),
158 site(vpn-data/example/location2/site2);
160 # If you want to communicate with all the VPN sites, you can use something
161 # like the following instead:
163 # sites map(site,vpn/example/all-sites);
165 # If you want to communicate with a subset of locations, try the following:
167 # sites map(site,vpn/example/location1,vpn/example/location2);
~ianmdlvl / secnet.git / blob