1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
# secnet example configuration file
# This file is part of secnet.
# See LICENCE and this file CREDITS for full list of copyright holders.
# SPDX-License-Identifier: GPL-3.0-or-later
# There is NO WARRANTY.
# Log facility
# If you use this unaltered you should consider providing automatic log
# rotation for /var/log/secnet. secnet will close and re-open its logfiles
# when it receives SIGHUP.
log logfile {
filename "/var/log/secnet";
class "info","notice","warning","error","security","fatal";
# There are some useful message classes that could replace
# this list:
# 'default' -> warning,error,security,fatal
# 'verbose' -> info,notice,default
# 'quiet' -> fatal
};
# Alternatively you could log through syslog:
# log syslog {
# ident "secnet";
# facility "local0";
# };
# Systemwide configuration (all other configuration is per-site):
# log a log facility for program messages
# userid who we try to run as after setup
# pidfile
system {
# Note that you should not specify 'userid' here unless secnet
# is being invoked as root.
userid "secnet";
pidfile "/var/run/secnet.pid";
};
# Parameters for each remote site (arguments to the site() closure):
# things we configure locally
# buffer buffer for constructing/sending/receiving packets
# netlink user/kernel netlink device for this tunnel
# comm UDP communication
# resolver resolver to use for name lookups
# log a log destination for this connection
# log-events string list: which events we log
# random a source of randomness
# our local configuration visible to the outside world
# local-name string: how we identify ourselves to them
# local-key our own private RSA key
# local-port port number we listen on
# their configuration visible to us
# name string: how they identify themselves
# address string: use with resolver to find their IP address
# networks string list: their networks for us
# key the remote site's RSA public key
# port port we send to to contact remote site
# things both ends must agree on
# transform routine for bulk encryption
# dh Diffie-Hellman parameters
# hash secure hash function
# things both ends ought to agree on, but don't have to
# key-lifetime max session key lifetime, in milliseconds
# setup-retries max retransmits of a key setup packet
# setup-timeout wait between retransmits of key setup packets, in ms
# wait-time wait between unsuccessful key setup attempts, in ms
# renegotiate-time set up a new key if we see any traffic after this time
# Defaults that may be overridden on a per-site basis:
#setup-retries 10;
#setup-timeout 2000;
# Use the universal TUN/TAP driver to get packets to and from the kernel,
# through a single interface. secnet will act as a router; it requires
# its own IP address which is specified below (you'll see it on traceroute,
# etc. for routes that go via tunnels). If you don't want secnet to act
# as a router, and instead want a separate kernel network interface per
# tunnel, then see the alternative configuration below
# If you want to use userv-ipif to manage interfaces then replace the
# word "tun" with "userv-ipif".
netlink tun {
name "netlink-tun"; # Printed in log messages from this netlink
# interface "tun0"; # You may set your own interface name if you wish;
# if you don't one will be chosen for you.
# device "/dev/net/tun";
local-address "192.168.x.x"; # IP address of host's tunnel interface
secnet-address "192.168.x.x"; # IP address of this secnet
# Tunnels are only allowed to use these networks; attempts to
# claim IP addresses in any other ranges is a configuration error
remote-networks "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8";
# MTU of the tunnel interface. Should be kept under the path-MTU
# (by at least 60 bytes) between this secnet and its peers for
# optimum performance.
mtu 1400;
# This buffer is used to pass incoming packets onto the 'site'
# module. It should be at least as big as the MTU plus 60 bytes.
# Buffers can sometimes be shared between netlink devices - see
# full documentation for more details. (XXX TODO)
buffer sysbuffer(2048);
};
# This alternative configuration allows you to create one kernel network
# interface per tunnel. IT WILL ONLY WORK WITH "tun" - IT WILL NOT
# WORK WITH "userv-ipif". This is because "tun" can share a single
# buffer between multiple network interfaces, but userv-ipif can't.
# To use userv-ipif in this style, process the sites.conf file so that
# each "netlink" section contains a "buffer sysbuffer(2048);" line.
#netlink tun;
#local-address "192.168.x.x"; # Address of local interfaces - all the same
#mtu 1400;
#buffer sysbuffer(2048);
# This is small enough that it fits without fragmentation into
# the foolish wifi on Greater Anglia's now-retired Class 379s.
# This is good because they mishandle fragmentation.
mtu-target 1260;
# This defines the port that this instance of secnet will listen on, and
# originate packets on. It does not _have_ to correspond to the advertised
# port for your site: you may be doing network address translation, for
# example. You need to arrange that any UDP packets sent to the advertised
# host and port for your site end up on this machine at the port you
# specify here.
comm udp {
port 410;
buffer sysbuffer(4096);
};
# The resolver is used to look up IP addresses from the DNS names provided
# in the sites file. You may specify an alternative resolv.conf for
# ADNS here if you wish.
resolver adns {
# config=readfile("/etc/secnet/adns.conf");
};
# log is defined earlier - we share it with the system
log-events "setup-init","setup-timeout","activate-key","timeout-key","errors",
"security";
# A source of random bits for nonces and session keys. The 'no' specifies
# that it's non-blocking. XXX 'yes' isn't implemented yet.
random randomfile("/dev/urandom",no);
# If you're using the make-secnet-sites script then your local-name
# will be of the form "vpnname/location/site" eg. "sgo/greenend/sinister"
local-name "your-site-name";
local-key rsa-private("/etc/secnet/key");
# Are we a mobile site?
#local-mobile true;
# On dodgy links you may want to specify a higher maximum sequence number skew
transform eax-serpent { }, serpent256-cbc { };
include /etc/secnet/sites.conf
# The /etc/secnet/sites file contains information on all reachable sites;
# if the site you want to communicate with isn't listed, you should get
# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
# contains public keys for all sites.
# If you want to communicate with all the VPN sites, you can use something
# like the following:
sites map(site,all-sites);
# Or with a particular VPN
#sites map(site,vpn/Vexample/all-sites);
# If you only want to communicate with a subset of the VPN sites, list
# them explicitly:
# sites map(site,
# vpn-data/example/location1/site1,
# vpn-data/example/location2/site1,
# vpn-data/example/location2/site2);
# If you want to communicate with a subset of locations, try the following:
# sites map(site,vpn/example/location1,vpn/example/location2);
# This file is placed in the public domain (insofar as possible.)
# Authors: Stephen Early, Ian Jackson
|
