X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=example.conf;h=d746a56a3a0b5f037bbee6f606fd16780943096d;hb=0d0c3b6af54a0c4d9440f48b31de97c1b066458f;hp=f1d87581e6e7e891ab9bc151068964038c47ee80;hpb=c215a4bc817daf7b5631236c3c7b6a509479b034;p=secnet.git

diff --git a/example.conf b/example.conf
index f1d8758..d746a56 100644
--- a/example.conf
+++ b/example.conf
@@ -1,5 +1,10 @@
 # secnet example configuration file
 
+# This file is part of secnet.
+# See LICENCE and this file CREDITS for full list of copyright holders.
+# SPDX-License-Identifier: GPL-3.0-or-later
+# There is NO WARRANTY.
+
 # Log facility
 # If you use this unaltered you should consider providing automatic log
 # rotation for /var/log/secnet.  secnet will close and re-open its logfiles
@@ -67,8 +72,8 @@ system {
 # renegotiate-time      set up a new key if we see any traffic after this time
 
 # Defaults that may be overridden on a per-site basis:
-setup-retries 10;
-setup-timeout 2000;
+#setup-retries 10;
+#setup-timeout 2000;
 
 # Use the universal TUN/TAP driver to get packets to and from the kernel,
 # through a single interface.  secnet will act as a router; it requires
@@ -115,6 +120,11 @@ netlink tun {
 #mtu 1400;
 #buffer sysbuffer(2048);
 
+# This is small enough that it fits without fragmentation into
+# the foolish wifi on Greater Anglia's now-retired Class 379s.
+# This is good because they mishandle fragmentation.
+mtu-target 1260;
+
 
 # This defines the port that this instance of secnet will listen on, and
 # originate packets on. It does not _have_ to correspond to the advertised
@@ -147,8 +157,11 @@ random randomfile("/dev/urandom",no);
 local-name "your-site-name";
 local-key rsa-private("/etc/secnet/key");
 
+# Are we a mobile site?
+#local-mobile true;
+
 # On dodgy links you may want to specify a higher maximum sequence number skew
-transform eax-serpent, serpent256-cbc;
+transform eax-serpent { }, serpent256-cbc { };
 
 include /etc/secnet/sites.conf
 
@@ -160,7 +173,10 @@ include /etc/secnet/sites.conf
 # If you want to communicate with all the VPN sites, you can use something
 # like the following:
 
-sites map(site,vpn/example/all-sites);
+sites map(site,all-sites);
+
+# Or with a particular VPN
+#sites map(site,vpn/Vexample/all-sites);
 
 # If you only want to communicate with a subset of the VPN sites, list
 # them explicitly: