ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/doc/gvpe.conf.5.pod
(Generate patch)

Comparing gvpe/doc/gvpe.conf.5.pod (file contents):
Revision 1.22 by pcg, Mon Sep 1 06:06:11 2008 UTC vs.
Revision 1.26 by root, Sat Feb 12 04:15:29 2011 UTC

237other programs. 237other programs.
238 238
239The default is 47 (GRE), which has a good chance of tunneling 239The default is 47 (GRE), which has a good chance of tunneling
240through firewalls (but note that gvpe's rawip protocol is not GRE 240through firewalls (but note that gvpe's rawip protocol is not GRE
241compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 241compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4
242(IPIP tunnels) or 98 (ENCAP, rfc1241) 242(IPIP tunnels) or 98 (ENCAP, rfc1241).
243
244Many versions of Linux seem to have a bug that causes them to reorder
245packets for some ip protocols (GRE, ESP) but not for others (AH), so
246choose wisely (that is, use 51, AH).
243 247
244=item http-proxy-host = hostname/ip 248=item http-proxy-host = hostname/ip
245 249
246The C<http-proxy-*> family of options are only available if gvpe was 250The C<http-proxy-*> family of options are only available if gvpe was
247compiled with the C<--enable-http-proxy> option and enable tunneling of 251compiled with the C<--enable-http-proxy> option and enable tunneling of
314is established (even on rekeying operations). Note that node-up/down 318is established (even on rekeying operations). Note that node-up/down
315scripts will be run asynchronously, but execution is serialised, so there 319scripts will be run asynchronously, but execution is serialised, so there
316will only ever be one such script running. 320will only ever be one such script running.
317 321
318In addition to all the variables passed to C<if-up> scripts, the following 322In addition to all the variables passed to C<if-up> scripts, the following
319environment variables will be set: 323environment variables will be set (values are just examples):
320 324
321=over 4 325=over 4
322 326
323=item DESTNODE=branch2 327=item DESTNODE=branch2
324 328
325The name of the remote node. 329The name of the remote node.
326 330
327=item DESTID=2 331=item DESTID=2
328 332
329The node id of the remote node. 333The node id of the remote node.
334
335=item DESTSI=rawip/88.99.77.55:0
336
337The "socket info" of the target node, protocol dependent but usually in
338the format protocol/ip:port.
330 339
331=item DESTIP=188.13.66.8 340=item DESTIP=188.13.66.8
332 341
333The numerical IP address of the remote node (gvpe accepts connections from 342The numerical IP address of the remote node (gvpe accepts connections from
334everywhere, as long as the other node can authenticate itself). 343everywhere, as long as the other node can authenticate itself).
335 344
336=item DESTPORT=655 # deprecated 345=item DESTPORT=655 # deprecated
337 346
338The UDP port used by the other side. 347The protocol port used by the other side, if applicable.
339 348
340=item STATE=UP 349=item STATE=up
341 350
342Node-up scripts get called with STATE=UP, node-down scripts get called 351Node-up scripts get called with STATE=up, node-change scripts get called
343with STATE=DOWN. 352with STATE=change and node-down scripts get called with STATE=down.
344 353
345=back 354=back
346 355
347Here is a nontrivial example that uses nsupdate to update the name => ip 356Here is a nontrivial example that uses nsupdate to update the name => ip
348mapping in some DNS zone: 357mapping in some DNS zone:
352 echo update delete $DESTNODE.lowttl.example.net. a 361 echo update delete $DESTNODE.lowttl.example.net. a
353 echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP 362 echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP
354 echo 363 echo
355 } | nsupdate -d -k $CONFBASE:key.example.net. 364 } | nsupdate -d -k $CONFBASE:key.example.net.
356 365
366=item node-change = relative-or-absolute-path
367
368Same as C<node-change>, but gets called whenever something about a
369connection changes (such as the source IP address).
370
357=item node-down = relative-or-absolute-path 371=item node-down = relative-or-absolute-path
358 372
359Same as C<node-up>, but gets called whenever a connection is lost. 373Same as C<node-up>, but gets called whenever a connection is lost.
360 374
361=item pid-file = path 375=item pid-file = path
379 393
380Sets the rekeying interval in seconds (default: C<3600>). Connections are 394Sets the rekeying interval in seconds (default: C<3600>). Connections are
381reestablished every C<rekey> seconds, making them use a new encryption 395reestablished every C<rekey> seconds, making them use a new encryption
382key. 396key.
383 397
398=item nfmark = integer
399
400This advanced option, when set to a nonzero value (default: C<0>), tries
401to set the netfilter mark (or fwmark) value on all sockets gvpe uses to
402send packets.
403
404This can be used to make gvpe use a different set of routing rules. For
405example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then
406put all routing rules into table C<99> and then use an ip rule to make
407gvpe traffic avoid that routing table, in effect routing normal traffic
408via gvpe and gvpe traffic via the normal system routing tables:
409
410 ip rule add not fwmark 1000 lookup 99
411
384=back 412=back
385 413
386=head2 NODE SPECIFIC SETTINGS 414=head2 NODE SPECIFIC SETTINGS
387 415
388The following settings are node-specific, that is, every node can have 416The following settings are node-specific, that is, every node can have
396 424
397Allow direct connections to this node. See C<deny-direct> for more info. 425Allow direct connections to this node. See C<deny-direct> for more info.
398 426
399=item compress = yes|true|on | no|false|off 427=item compress = yes|true|on | no|false|off
400 428
429For the current node, this specified whether it will accept compressed
430packets, and for all other nodes, this specifies whether to try to
401Wether to compress data packets sent to this node (default: C<yes>). 431compress data packets sent to this node (default: C<yes>). Compression is
402Compression is really cheap even on slow computers and has no size 432really cheap even on slow computers, has no size overhead at all and will
403overhead at all, so enabling this is often a good idea. 433only be used when the other side supports compression, so enabling this is
434often a good idea.
404 435
405=item connect = ondemand | never | always | disabled 436=item connect = ondemand | never | always | disabled
406 437
407Sets the connect mode (default: C<always>). It can be C<always> (always 438Sets the connect mode (default: C<always>). It can be C<always> (always
408try to establish and keep a connection to the given node), C<never> 439try to establish and keep a connection to the given node), C<never>
534The value specified using this directive will be passed to the C<if-up> 565The value specified using this directive will be passed to the C<if-up>
535script in the environment variable C<IFUPDATA>. 566script in the environment variable C<IFUPDATA>.
536 567
537=item inherit-tos = yes|true|on | no|false|off 568=item inherit-tos = yes|true|on | no|false|off
538 569
539Wether to inherit the TOS settings of packets sent to the tunnel when 570Whether to inherit the TOS settings of packets sent to the tunnel when
540sending packets to this node (default: C<yes>). If set to C<yes> then 571sending packets to this node (default: C<yes>). If set to C<yes> then
541outgoing tunnel packets will have the same TOS setting as the packets sent 572outgoing tunnel packets will have the same TOS setting as the packets sent
542to the tunnel device, which is usually what you want. 573to the tunnel device, which is usually what you want.
543 574
544=item max-retry = positive-number 575=item max-retry = positive-number

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines