NAME
secvpn.conf - Configuration file for the Secure Virtual Private Network
SYNOPSIS
/etc/network/secvpn.conf
DESCRIPTION
The configuration file for the Secure Virtual Private Network is
expected to be a valid shell script defining variables and functions.
The script is sourced by the other programs and scripts maintaining the
SVPN and therefore must be handled with care!
The file is composed of two parts, a variable definition section and a
function definition section (in the sense of the shell syntax).
Variables
The variables are used to define global variables for the SVPN:
THIS_IS identifies the current hostname.
VPNS is used to specifiy the relationship of SVPN hosts, i.e.
which SVPNs should be started by secvpn and which role do
the host play in this relationship.
The syntax is ActiveHost->PassiveHost, i.e. the active host
is responsible to establish the secure channel to the
passive host (using ssh) by starting the pppd connection
and setting routes on the active and the passive host.
Multiple relationships are separated by a blank, the
identifiers used for the ActiveHost and the PassiveHost
must match the contents of the variable THIS_IS in the
corresponding configuration files.
CRYPT_MASK is the network mask used for the real connection via the
T_CRYPT_IP IP addresses.
SSHPORT is currently not used. In future releases, this variable
may be used to identify the port to which the ssh
connection should be made.
Functions
Functions are used to define the specific attributes of the SVPN hosts
and the SVPN relationships.
First, a function for each SVPN host has to be defined. The name of the
function must match the hostname of the SVPN host (i.e. the contents of
the variable THIS_IS in the corresponding configuration file). The SVPN
host specific functions are used to set the following, host specific
variables:
GOOD_ONES specifies the official, good network address (together with
the network mask given as the number of contiguous bits
separated with a slash) of this SVPN host. This network is
the secure subnet which is represented by this SVPN host.
GOOD_IP identifies the official, good IP address of the SVPN host.
This IP address must be used for all secure communications
with this host.
Next, a function for each SVPN relationship has to be defined. The
names of these functions are listed in the VPNS variable (see above)
and receive a prefix of vpn_ These relationship defining functions are
used to set the following connection specific variables:
T_GOOD_ONES is an optional variable used to specify the list (blank
separated) of secure networks which are directly or
indirectly reachable via the active SVPN host of this SVPN
connection ( this good IP addresses ). The networks are
identified by their IP address and their attached network
mask specified by the number of contiguous bits and
separated by a slash. Note that the own network must not
be listed in this variable, because it is specified in the
GOOD_ONES variable in the SVPN host function of the active
member of the current connection.
T_BAD_IP is the IP address of the active SVPN host which is used to
establish the secure channel to the passive SVPN host. This
IP address might be attached to a second interface on the
active SVPN host (if a multi homed system is used) or the
same IP address as for the GOOD_IP might be used (if the
active SVPN host is a single homed system).
T_CRYPT_IP is the IP address on the active SVPN host which is used for
the secure ppp connection to the corresponding pppd on the
passive SVPN host -- a new ppp interface will be added by
secvpn for this ip.
O_CRYPT_IP is the IP address on the passive SVPN host which is used
for the secure ppp connection to the corresponding pppd on
the active SVPN host -- a new ppp interface will be added
by secvpn for this ip.
O_BAD_IP is the IP address of the passive SVPN host which is used to
establish the secure channel to the active SVPN host. This
IP address might be attached to a second interface on the
passive SVPN host (if a multi homed system is used) or the
same IP address as for the GOOD_IP might be used (if the
passive SVPN host is a single homed system).
O_GOOD_ONES is an optional variable used to specify the list (blank
separated) of secure networks which are directly or
indirectly reachable via the passive SVPN host of this SVPN
connection ( other good IP addresses ). The networks are
identified by their IP address and their attached network
mask specified by the number of contiguous bits and
separated by a slash. Note that the own network must not
be listed in this variable, because it is specified in the
GOOD_ONES variable in the SVPN host function of the passive
member of the current connection.
Example
# The SVPN acts as a router connecting 2 subnets.
# Each subnet itself is secure. But the Internet is unsecure.
#
# Secure Subnet 1 / / Secure Subnet 2
# / Unsecure /
# [hosts1] [secvpn1] / Internet / [secvpn2] [hosts2]
# X.X.X.n eth0:X.X.X.1 / ISDN / eth0:Y.Y.Y.1 Y.Y.Y.n
# eth1:I.I.I.1 / / eth1:J.J.J.1
#
# ToDo:
# The hosts1 should be able to communicate secure with hosts2
# over an unsecure network.
# secvpn1/secvpn2 are used as routers that connect the secure
# subnet to the internet.
# Hosts1/hosts2 have routing entries using secvpn1/secvpn2 to
# reach hosts2/hosts1.
#
#
# Global variables
#
THIS_IS="‘hostname‘"
VPNS="secvpn1->secvpn2"
CRYPT_MASK="255.255.255.0"
SSHPORT="22"
#
# SVPN host specifications
#
# this is for the system with hostname ’secvpn1’
secvpn1() { GOOD_ONES="X.X.X.0/24"; GOOD_IP="X.X.X.1" }
# this is for the system with hostname ’secvpn2’
secvpn2() { GOOD_ONES="Y.Y.Y.0/24"; GOOD_IP="Y.Y.Y.1" }
#
# SVPN connection specifications
#
# this is for the connection from ’secvpn1’ (active) to
# ’secvpn2’ (passive)
vpn_secvpn1_secvpn2()
{
# -----------
# | secvpn1 |----------------+
# ----------- |
# | |
| # ppp-DEV
T_BAD_IP="I.I.I.1"; T_CRYPT_IP="10.1.1.1"
# | |
| # ppp-DEV
O_BAD_IP="J.J.J.1"; O_CRYPT_IP="10.1.1.2"
# | |
# ----------- |
# | secvpn2 |----------------+
# -----------
}
OTHER
To have real security it is necessary to secure each secvpn host and to
have firewalls on each secvpn host allowing only selected IP-Adresses
and Ports to pass through the VPN.
AUTHOR
Bernd Schumacher, HP Consulting, HEWLETT-PACKARD GmbH, Bad Homburg,
2000
COPYRIGHT
Copyright: Most recent version of the GPL.
On Debian GNU/Linux systems, the complete text of the GNU General
Public License can be found in "/usr/share/common-licenses/GPL".
SEE ALSO
secvpn(1) secvpnmon(1)