NAME¶
secvpn.conf - Configuration file for the Secure Virtual Private Network
SYNOPSIS¶
/etc/network/secvpn.conf
DESCRIPTION¶
The configuration file for the Secure Virtual Private Network is expected to be
a valid shell script defining variables and functions. The script is sourced
by the other programs and scripts maintaining the SVPN and therefore must be
handled with care!
The file is composed of two parts, a variable definition section and a function
definition section (in the sense of the shell syntax).
Variables¶
The variables are used to define global variables for the SVPN:
- THIS_IS
- identifies the current hostname.
- VPNS
- is used to specifiy the relationship of SVPN hosts, i.e.
which SVPNs should be started by secvpn and which role do the host
play in this relationship.
The syntax is ActiveHost->PassiveHost, i.e. the active host is
responsible to establish the secure channel to the passive host (using
ssh) by starting the pppd connection and setting routes on the active and
the passive host.
Multiple relationships are separated by a blank, the identifiers used for
the ActiveHost and the PassiveHost must match the contents of the variable
THIS_IS in the corresponding configuration files.
- CRYPT_MASK
- is the network mask used for the real connection via the
T_CRYPT_IP IP addresses.
- SSHPORT
- is currently not used. In future releases, this variable
may be used to identify the port to which the ssh connection should be
made.
Functions¶
Functions are used to define the specific attributes of the SVPN hosts and the
SVPN relationships.
First, a function for each SVPN host has to be defined. The name of the function
must match the hostname of the SVPN host (i.e. the contents of the variable
THIS_IS in the corresponding configuration file). The SVPN host specific
functions are used to set the following, host specific variables:
- GOOD_ONES
- specifies the official, good network address (together with
the network mask given as the number of contiguous bits separated with a
slash) of this SVPN host. This network is the secure subnet which is
represented by this SVPN host.
- GOOD_IP
- identifies the official, good IP address of the SVPN host.
This IP address must be used for all secure communications with this
host.
Next, a function for each SVPN relationship has to be defined. The names of
these functions are listed in the
VPNS variable (see above) and receive
a prefix of
vpn_ These relationship defining functions are used to set
the following connection specific variables:
- T_GOOD_ONES
- is an optional variable used to specify the list (blank
separated) of secure networks which are directly or indirectly reachable
via the active SVPN host of this SVPN connection ( this good
IP addresses ). The networks are identified by their IP address and their
attached network mask specified by the number of contiguous bits and
separated by a slash. Note that the own network must not be listed in this
variable, because it is specified in the GOOD_ONES variable in the
SVPN host function of the active member of the current connection.
- T_BAD_IP
- is the IP address of the active SVPN host which is
used to establish the secure channel to the passive SVPN host. This IP
address might be attached to a second interface on the active SVPN host
(if a multi homed system is used) or the same IP address as for the
GOOD_IP might be used (if the active SVPN host is a single homed
system).
- T_CRYPT_IP
- is the IP address on the active SVPN host which is
used for the secure ppp connection to the corresponding pppd on the
passive SVPN host -- a new ppp interface will be added by secvpn for this
ip.
- O_CRYPT_IP
- is the IP address on the passive SVPN host which is
used for the secure ppp connection to the corresponding pppd on the active
SVPN host -- a new ppp interface will be added by secvpn for this ip.
- O_BAD_IP
- is the IP address of the passive SVPN host which is
used to establish the secure channel to the active SVPN host. This IP
address might be attached to a second interface on the passive SVPN host
(if a multi homed system is used) or the same IP address as for the
GOOD_IP might be used (if the passive SVPN host is a single homed
system).
- O_GOOD_ONES
- is an optional variable used to specify the list (blank
separated) of secure networks which are directly or indirectly reachable
via the passive SVPN host of this SVPN connection ( other
good IP addresses ). The networks are identified by their IP address and
their attached network mask specified by the number of contiguous bits and
separated by a slash. Note that the own network must not be listed in this
variable, because it is specified in the GOOD_ONES variable in the
SVPN host function of the passive member of the current connection.
Example¶
-
# The SVPN acts as a router connecting 2 subnets.
# Each subnet itself is secure. But the Internet is unsecure.
#
# Secure Subnet 1 / / Secure Subnet 2
# / Unsecure /
# [hosts1] [secvpn1] / Internet / [secvpn2] [hosts2]
# X.X.X.n eth0:X.X.X.1 / ISDN / eth0:Y.Y.Y.1 Y.Y.Y.n
# eth1:I.I.I.1 / / eth1:J.J.J.1
#
# ToDo:
# The hosts1 should be able to communicate secure with hosts2
# over an unsecure network.
# secvpn1/secvpn2 are used as routers that connect the secure
# subnet to the internet.
# Hosts1/hosts2 have routing entries using secvpn1/secvpn2 to
# reach hosts2/hosts1.
#
#
# Global variables
#
THIS_IS="`hostname`"
VPNS="secvpn1->secvpn2"
CRYPT_MASK="255.255.255.0"
SSHPORT="22"
#
# SVPN host specifications
#
# this is for the system with hostname 'secvpn1'
secvpn1() { GOOD_ONES="X.X.X.0/24"; GOOD_IP="X.X.X.1" }
# this is for the system with hostname 'secvpn2'
secvpn2() { GOOD_ONES="Y.Y.Y.0/24"; GOOD_IP="Y.Y.Y.1" }
#
# SVPN connection specifications
#
# this is for the connection from 'secvpn1' (active) to
# 'secvpn2' (passive)
vpn_secvpn1_secvpn2()
{
# -----------
# | secvpn1 |----------------+
# ----------- |
# | |
| # ppp-DEV
T_BAD_IP="I.I.I.1"; T_CRYPT_IP="10.1.1.1"
# | |
| # ppp-DEV
O_BAD_IP="J.J.J.1"; O_CRYPT_IP="10.1.1.2"
# | |
# ----------- |
# | secvpn2 |----------------+
# -----------
}
OTHER¶
To have real security it is necessary to secure each secvpn host and to have
firewalls on each secvpn host allowing only selected IP-Adresses and Ports to
pass through the VPN.
AUTHOR¶
Bernd Schumacher, HP Consulting, HEWLETT-PACKARD GmbH, Bad Homburg, 2000
COPYRIGHT¶
Copyright: Most recent version of the GPL.
On Debian GNU/Linux systems, the complete text of the GNU General Public License
can be found in "/usr/share/common-licenses/GPL".
SEE ALSO¶
secvpn(1) secvpnmon(1)