| … | |
… | |
| 370 | |
370 | |
| 371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
371 | Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). |
| 372 | |
372 | |
| 373 | This value must be the minimum of the MTU values of all nodes. |
373 | This value must be the minimum of the MTU values of all nodes. |
| 374 | |
374 | |
|
|
375 | =item nfmark = integer |
|
|
376 | |
|
|
377 | This advanced option, when set to a nonzero value (default: C<0>), tries |
|
|
378 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
|
|
379 | send packets. |
|
|
380 | |
|
|
381 | This can be used to make gvpe use a different set of routing rules. For |
|
|
382 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
383 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
384 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
385 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
386 | |
|
|
387 | ip rule add not fwmark 1000 lookup 99 |
|
|
388 | |
| 375 | =item node = nickname |
389 | =item node = nickname |
| 376 | |
390 | |
| 377 | Not really a config setting but introduces a node section. The nickname is |
391 | Not really a config setting but introduces a node section. The nickname is |
| 378 | used to select the right configuration section and must be passed as an |
392 | used to select the right configuration section and must be passed as an |
| 379 | argument to the gvpe daemon. |
393 | argument to the gvpe daemon. |
| … | |
… | |
| 455 | private key file should be kept secret per-node to avoid spoofing, it is |
469 | private key file should be kept secret per-node to avoid spoofing, it is |
| 456 | not recommended to use this feature. |
470 | not recommended to use this feature. |
| 457 | |
471 | |
| 458 | =item rekey = seconds |
472 | =item rekey = seconds |
| 459 | |
473 | |
| 460 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
474 | Sets the rekeying interval in seconds (default: C<3607>). Connections are |
| 461 | reestablished every C<rekey> seconds, making them use a new encryption |
475 | reestablished every C<rekey> seconds, making them use a new encryption |
| 462 | key. |
476 | key. |
| 463 | |
477 | |
| 464 | =item nfmark = integer |
478 | =item seed-device = path |
| 465 | |
479 | |
| 466 | This advanced option, when set to a nonzero value (default: C<0>), tries |
480 | The random device used to initially and regularly seed the random |
| 467 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
481 | number generator (default: F</dev/urandom>). Randomness is of paramount |
| 468 | send packets. |
482 | importance to the security of the algorithms used in gvpe. |
| 469 | |
483 | |
| 470 | This can be used to make gvpe use a different set of routing rules. For |
484 | On program start and every seed-interval, gvpe will read 64 octets. |
| 471 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
| 472 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
| 473 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
| 474 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
| 475 | |
485 | |
| 476 | ip rule add not fwmark 1000 lookup 99 |
486 | Setting this path to the empty string will disable this functionality |
|
|
487 | completely (the underlying crypto library will likely look for entropy |
|
|
488 | sources on it's own though, so not all is lost). |
|
|
489 | |
|
|
490 | =item seed-interval = seconds |
|
|
491 | |
|
|
492 | The number of seconds between reseeds of the random number generator |
|
|
493 | (default: C<3613>). A value of C<0> disables this regular reseeding. |
| 477 | |
494 | |
| 478 | =back |
495 | =back |
| 479 | |
496 | |
| 480 | =head2 NODE SPECIFIC SETTINGS |
497 | =head2 NODE SPECIFIC SETTINGS |
| 481 | |
498 | |
