GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT
VERSIONS.
+PROTOCOL COMPATIBILITY WAS BROKEN BETWEEN secnet-0.06, secnet-0.07 AND
+secnet-0.08 FOR ENDIANNESS FIXES.
+
+THERE WILL BE ANOTHER CHANGE IN PROTOCOL IN THE secnet-0.1.x SERIES
+
* Preparation
** System software support
Ensure that you have libgmp2-dev and adns installed (and bison and
flex, and for that matter gcc...).
+[On BSD install /usr/ports/devel/bison and /usr/ports/devel/libgnugetopt]
+
If you intend to configure secnet to obtain packets from the kernel
through userv-ipif, install and configure userv-ipif. It is part of
userv-utils, available from ftp.chiark.greenend.org.uk in
config file) which has only one device file (usually /dev/net/tun) and
the other (called 'tun-old') which has many device files (/dev/tun*).
Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris have old-style
-TUN. Currently only new-style TUN has been tested with secnet.
+TUN.
** System and network configuration
interface). The other will be for secnet itself. These addresses
could possibly be allocated from the range used by your internal
network: if you do this, you should think about providing appropriate
-proxy-ARP on the machine running secnet for the two addresses.
-Alternatively the addresses could be from some other range - this
-works well if the machine running secnet is the default route out of
-your network.
+proxy-ARP on the internal network interface of the machine running
+secnet (eg. add an entry net/ipv4/conf/eth_whatever/proxy_arp = 1 to
+/etc/sysctl.conf on Debian systems and run sysctl -p). Alternatively
+the addresses could be from some other range - this works well if the
+machine running secnet is the default route out of your network.
http://www.ucam.org/cam-grin/ may be useful.
-Advanced users: secnet's IP address does not _have_ to be in the range
-of networks claimed by your end of the tunnel; it could be in the
-range of networks claimed by the other end. Doing this is confusing,
-but works.
-
* Installation
To install secnet do
$ ./configure
$ make
# make install
+
+(Note: you may see the following warning while compiling
+conffile.tab.c; I believe this is a bison bug:
+/usr/share/bison/bison.simple: In function `yyparse':
+/usr/share/bison/bison.simple:285: warning: `yyval' might be used
+ uninitialized in this function
+)
+
+Any other warnings or errors should be reported to
+steve@greenend.org.uk.
+
+If installing for the first time, do
+
# mkdir /etc/secnet
# cp example.conf /etc/secnet/secnet.conf
# cd /etc/secnet
# ssh-keygen -f key -N ""
-(When upgrading, just install the new /usr/local/sbin/secnet; keep
-your current configuration file.)
+[On BSD use
+$ LDFLAGS="-L/usr/local/lib" ./configure
+$ gmake CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
+XXX this should eventually be worked out automatically by 'configure'.]
Generate a site file fragment for your site (see below), and submit it
-for inclusion in the vpn-sites file. Download the vpn-sites file to
-/etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the
+for inclusion in your VPN's 'sites' file. Download the vpn-sites file
+to /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the
sites file contains public keys for all the sites in the VPN.
* Configuration
6. the public part of the RSA key you generated during installation
(in /etc/secnet/key.pub if you followed the installation
instructions). This file contains three numbers and a comment on one
-line. The first number is the key length in bits, and can be ignored.
-The second number (typically small) is the encryption key 'e', and the
-third number (large) is the modulus 'n'.
+line. The first number is the key length in bits, and should be
+ignored. The second number (typically small) is the encryption key
+'e', and the third number (large) is the modulus 'n'.
If you are running secnet on a particularly slow machine, you may like
to specify a larger value for the key setup retry timeout than the