- <dd>An Ethernet over RFC 2890 Generic Routing Encapsulation
- over IPv4 IPsec tunnel. Each tunnel (including those of type
- <code>gre</code>) must be uniquely identified by the
- combination of <ref column="options" key="remote_ip"/> and
- <ref column="options" key="local_ip"/>. Note that if two ports are
- defined that are the same except one has an optional identifier and
- the other does not, the more specific one is matched first.
- An authentication method of <ref column="options" key="peer_cert"/>
- or <ref column="options" key="psk"/> must be defined. The
- following options may be specified in the <ref column="options"/>
- column:
- <dl>
- <dt><code>remote_ip</code></dt>
- <dd>Required. The tunnel endpoint.</dd>
- </dl>
- <dl>
- <dt><code>local_ip</code></dt>
- <dd>Optional. The destination IP that received packets must
- match. Default is to match all addresses.</dd>
- </dl>
- <dl>
- <dt><code>peer_cert</code></dt>
- <dd>Required for certificate authentication. A string
- containing the peer's certificate in PEM format.
- Additionally the host's certificate must be specified
- with the <code>certificate</code> option.</dd>
- </dl>
- <dl>
- <dt><code>certificate</code></dt>
- <dd>Required for certificate authentication. The name of a
- PEM file containing a certificate that will be presented
- to the peer during authentication.</dd>
- </dl>
- <dl>
- <dt><code>private_key</code></dt>
- <dd>Optional for certificate authentication. The name of
- a PEM file containing the private key associated with
- <code>certificate</code>. If <code>certificate</code>
- contains the private key, this option may be omitted.</dd>
- </dl>
- <dl>
- <dt><code>psk</code></dt>
- <dd>Required for pre-shared key authentication. Specifies a
- pre-shared key for authentication that must be identical on
- both sides of the tunnel.</dd>
- </dl>
- <dl>
- <dt><code>in_key</code></dt>
- <dd>Optional. The GRE key that received packets must contain.
- It may either be a 32-bit number (no key and a key of 0 are
- treated as equivalent) or the word <code>flow</code>. If
- <code>flow</code> is specified then any key will be accepted
- and the key will be placed in the <code>tun_id</code> field
- for matching in the flow table. The ovs-ofctl manual page
- contains additional information about matching fields in
- OpenFlow flows. Default is no key.</dd>
- </dl>
- <dl>
- <dt><code>out_key</code></dt>
- <dd>Optional. The GRE key to be set on outgoing packets. It may
- either be a 32-bit number or the word <code>flow</code>. If
- <code>flow</code> is specified then the key may be set using
- the <code>set_tunnel</code> Nicira OpenFlow vendor extension (0
- is used in the absence of an action). The ovs-ofctl manual
- page contains additional information about the Nicira OpenFlow
- vendor extensions. Default is no key.</dd>
- </dl>
- <dl>
- <dt><code>key</code></dt>
- <dd>Optional. Shorthand to set <code>in_key</code> and
- <code>out_key</code> at the same time.</dd>
- </dl>
- <dl>
- <dt><code>tos</code></dt>
- <dd>Optional. The value of the ToS bits to be set on the
- encapsulating packet. It may also be the word
- <code>inherit</code>, in which case the ToS will be copied from
- the inner packet if it is IPv4 or IPv6 (otherwise it will be
- 0). Note that the ECN fields are always inherited. Default is
- 0.</dd>
- </dl>
- <dl>
- <dt><code>ttl</code></dt>
- <dd>Optional. The TTL to be set on the encapsulating packet.
- It may also be the word <code>inherit</code>, in which case the
- TTL will be copied from the inner packet if it is IPv4 or IPv6
- (otherwise it will be the system default, typically 64).
- Default is the system default TTL.</dd>
- </dl>
- <dl>
- <dt><code>csum</code></dt>
- <dd>Optional. Compute GRE checksums on outgoing packets.
- Checksums present on incoming packets will be validated
- regardless of this setting. Note that GRE checksums
- impose a significant performance penalty as they cover the
- entire packet. As the contents of the packet is typically
- covered by L3 and L4 checksums, this additional checksum only
- adds value for the GRE and encapsulated Ethernet headers.
- Default is disabled, set to <code>true</code> to enable.</dd>
- </dl>
- <dl>
- <dt><code>df_inherit</code></dt>
- <dd>Optional. If enabled, the Don't Fragment bit will be copied
- from the inner IP headers (those of the encapsulated traffic)
- to the outer (tunnel) headers. Default is disabled; set to
- <code>true</code> to enable.</dd>
- </dl>
- <dl>
- <dt><code>df_default</code></dt>
- <dd>Optional. If enabled, the Don't Fragment bit will be set by
- default on tunnel headers if the <code>df_inherit</code> option
- is not set, or if the encapsulated packet is not IP. Default
- is enabled; set to <code>false</code> to disable.</dd>
- </dl>
- <dl>
- <dt><code>pmtud</code></dt>
- <dd>Optional. Enable tunnel path MTU discovery. If enabled
- ``ICMP Destination Unreachable - Fragmentation Needed''
- messages will be generated for IPv4 packets with the DF bit set
- and IPv6 packets above the minimum MTU if the packet size
- exceeds the path MTU minus the size of the tunnel headers.
- Note that this option causes behavior that is typically
- reserved for routers and therefore is not entirely in
- compliance with the IEEE 802.1D specification for bridges.
- Default is enabled; set to <code>false</code> to disable.</dd>
- </dl>