| 1 | ;;; -*-conf-windows-*- |
| 2 | ;;; |
| 3 | ;;; Peers description file |
| 4 | ;;; |
| 5 | ;;; New installations will clobber this file. Therefore you're best off not |
| 6 | ;;; editing this file directly; instead, drop a file containing your |
| 7 | ;;; overridden settings alongside. |
| 8 | |
| 9 | ;;;-------------------------------------------------------------------------- |
| 10 | ;;; Global defaults. |
| 11 | ;;; |
| 12 | ;;; The paramaters here affect all peer definitions. It mainly contains |
| 13 | ;;; information about the local site. You will need to customize it. |
| 14 | |
| 15 | [@GLOBAL] |
| 16 | |
| 17 | ;; domain: the domain name for your VPN; used to form default tunnel |
| 18 | ;; addresses. |
| 19 | domain = vpn.example.com |
| 20 | |
| 21 | ;; myhost: my (internal) host name; used by the default laddr. |
| 22 | myhost = thishost |
| 23 | |
| 24 | ;; laddr: the local address for point-to-point interfaces. |
| 25 | laddr = $[$(myhost).$(domain)] |
| 26 | |
| 27 | ;; raddr: the remote address for point-to-point interfaces. |
| 28 | raddr = $[$(name).$(domain)] |
| 29 | |
| 30 | ;; ifname: the name to set on point-to-point interfaces. |
| 31 | ifname = vpn-$(name) |
| 32 | |
| 33 | ;; ifup: script to set up a tunnel interface ready for use. The installed |
| 34 | ;; script is good for Linux hosts. |
| 35 | ifup = /usr/sbin/tripe-ifup |
| 36 | |
| 37 | ;;;-------------------------------------------------------------------------- |
| 38 | ;;; Active-peers defaults. |
| 39 | ;;; |
| 40 | ;;; The parameters here affect both active and dynamic connections. The |
| 41 | ;;; defaults should be good for most sites, though you may wish to add extra |
| 42 | ;;; settings. |
| 43 | |
| 44 | [@ACTIVE] |
| 45 | @inherit = @GLOBAL |
| 46 | |
| 47 | ;; port: the port on which the peer's tripe(8) daemon is running. The |
| 48 | ;; default is the port officially allocated by IANA. |
| 49 | port = 4070 |
| 50 | |
| 51 | ;; host: the external host name (or dotted-quad IP address) of the host |
| 52 | ;; running tripe(8). This should be overridden explicitly in each peer |
| 53 | ;; definition. |
| 54 | host = override-me |
| 55 | |
| 56 | ;; peer: the address specification (see tripe-admin(5)) to use to connect to |
| 57 | ;; the remote peer. |
| 58 | peer = INET $[$(host)] $(port) |
| 59 | |
| 60 | ;;;-------------------------------------------------------------------------- |
| 61 | ;;; Temporary association defaults. |
| 62 | ;;; |
| 63 | ;;; These are settings common to both dynamic and passive peers. |
| 64 | |
| 65 | [@WATCH] |
| 66 | @inherit = @GLOBAL |
| 67 | |
| 68 | ;; watch: whether to watch this connection and drop it if it dies. |
| 69 | watch = t |
| 70 | |
| 71 | ;; timeout: how long to wait for a ping response before giving up. |
| 72 | timeout = 10s |
| 73 | |
| 74 | ;; retries: how many ping attempts to make before declaring the connection |
| 75 | ;; dead. |
| 76 | retries = 5 |
| 77 | |
| 78 | ;;;-------------------------------------------------------------------------- |
| 79 | ;;; Dynamic-peers defaults. |
| 80 | ;;; |
| 81 | ;;; The parameters here affect peers to whom dynamic connections are made. |
| 82 | ;;; The user and connect parameters probably need customizing. |
| 83 | |
| 84 | [@DYNAMIC] |
| 85 | @inherit = @ACTIVE, @WATCH |
| 86 | |
| 87 | ;; cork: whether to wait for a key-exchange packet from the peer before |
| 88 | ;; sending one of our own. |
| 89 | cork = t |
| 90 | |
| 91 | ;; ssh-user: user to connect as; used by the connect parameter. |
| 92 | ssh-user = tripe |
| 93 | |
| 94 | ;; connect: shell command to use to wake up the remote peer and establish the |
| 95 | ;; connection. |
| 96 | connect = ssh -q $(ssh-user)@$[$(host)] hello |
| 97 | |
| 98 | ;; disconnect: shell command to use to shut the remote peer down. |
| 99 | disconnect = ssh -q $(ssh-user)@$[$(host)] goodbye |
| 100 | |
| 101 | ;; keepalive: how often to send NOP packets to keep the connection alive, at |
| 102 | ;; least in the minds of intermediate stateful firewalls and NAT routers. |
| 103 | keepalive = 2m |
| 104 | |
| 105 | ;; every: interval for checking that this connection is alive. |
| 106 | every = 30s |
| 107 | |
| 108 | ;;;-------------------------------------------------------------------------- |
| 109 | ;;; Passive-peers defaults. |
| 110 | ;;; |
| 111 | ;;; The parameters here affect passive peers, i.e., those to whom dynamic |
| 112 | ;;; connections are made. The dynamic connection protocol establishes most |
| 113 | ;;; of the parameters and these defaults are probably pretty good. |
| 114 | |
| 115 | [@PASSIVE] |
| 116 | @inherit = @GLOBAL, @WATCH |
| 117 | |
| 118 | ;; peer: mark this entry as being a passive peer. |
| 119 | peer = PASSIVE |
| 120 | |
| 121 | ;; mobile: mark this peer as likely to change its external address without |
| 122 | ;; warning. |
| 123 | mobile = t |
| 124 | |
| 125 | ;; user: the string which the dynamic peer's connect command will present to |
| 126 | ;; the CONNECT service. |
| 127 | user = $(name) |
| 128 | |
| 129 | ;; every: interval for checking that this connection is alive: should be at |
| 130 | ;; least twice as long as the dynamic peer interval. |
| 131 | every = 5m |
| 132 | |
| 133 | ;;;----- That's all, folks -------------------------------------------------- |