IP-TUNNEL(8)                        Linux                       IP-TUNNEL(8)

NAME         top

       ip-tunnel - tunnel configuration

SYNOPSIS         top

       ip tunnel help

       ip [ OPTIONS ] tunnel { add | change | del | show | prl | 6rd } [
               NAME ]
               [ mode MODE ] [ remote ADDR ] [ local ADDR ]
               [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] ]
               [ encaplimit ELIM ] [ ttl|hoplimit TTL ]
               [ tos TOS ] [ flowlabel FLOWLABEL ]
               [ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR
               [ 6rd-prefix ADDR ] [ 6rd-relay_prefix ADDR ] [ 6rd-reset ]
               [ [no]pmtudisc ] [ [no]ignore-df ] [ [no]allow-localremote ]
               [ dev PHYS_DEV ]

       MODE :=  { ipip | gre | sit | isatap | vti | ip6ip6 | ipip6 | ip6gre
               | vti6 | any }

       ADDR := { IP_ADDRESS | any }

       TOS := { STRING | 00..ff | inherit | inherit/STRING | inherit/00..ff

       ELIM := { none | 0..255 }

       TTL := { 1..255 | inherit }

       KEY := { DOTTED_QUAD | NUMBER }

DESCRIPTION         top

       tunnel objects are tunnels, encapsulating packets in IP packets and
       then sending them over the IP infrastructure.  The encapsulating (or
       outer) address family is specified by the -f option. The default is

       ip tunnel add
              add a new tunnel

       ip tunnel change
              change an existing tunnel

       ip tunnel delete
              destroy a tunnel

              name NAME (default)
                     select the tunnel device name.

              mode MODE
                     set the tunnel mode. Available modes depend on the
                     encapsulating address family.
                     Modes for IPv4 encapsulation available: ipip, sit,
                     isatap, vti, and gre.
                     Modes for IPv6 encapsulation available: ip6ip6, ipip6,
                     ip6gre, vti6, and any.

              remote ADDRESS
                     set the remote endpoint of the tunnel.

              local ADDRESS
                     set the fixed local address for tunneled packets.  It
                     must be an address on another interface of this host.

              ttl N

              hoplimit N
                     set a fixed TTL (IPv4) or hoplimit (IPv6) N on tunneled
                     packets.  N is a number in the range 1--255. 0 is a
                     special value meaning that packets inherit the TTL
                     value.  The default value for IPv4 tunnels is: inherit.
                     The default value for IPv6 tunnels is: 64.

              tos T

              dsfield T

              tclass T
                     set the type of service (IPv4) or traffic class (IPv6)
                     field on tunneled packets, which can be specified as
                     either a two-digit hex value (e.g. c0) or a predefined
                     string (e.g. internet).  The value inherit causes the
                     field to be copied from the original IP header. The
                     values inherit/STRING or inherit/00..ff will set the
                     field to STRING or 00..ff when tunneling non-IP
                     packets. The default value is 00.

              dev NAME
                     bind the tunnel to the device NAME so that tunneled
                     packets will only be routed via this device and will
                     not be able to escape to another device when the route
                     to endpoint changes.

                     disable Path MTU Discovery on this tunnel.  It is
                     enabled by default. Note that a fixed ttl is
                     incompatible with this option: tunneling with a fixed
                     ttl always makes pmtu discovery.

                     enable IPv4 DF suppression on this tunnel.  Normally
                     datagrams that exceed the MTU will be fragmented; the
                     presence of the DF flag inhibits this, resulting
                     instead in an ICMP Unreachable (Fragmentation Required)
                     message.  Enabling this attribute causes the DF flag to
                     be ignored.

              key K

              ikey K

              okey K ( only GRE tunnels ) use keyed GRE with key K. K is
                     either a number or an IP address-like dotted quad.  The
                     key parameter sets the key to use in both directions.
                     The ikey and okey parameters set different keys for
                     input and output.

              csum, icsum, ocsum
                     ( only GRE tunnels ) generate/require checksums for
                     tunneled packets.  The ocsum flag calculates checksums
                     for outgoing packets.  The icsum flag requires that all
                     input packets have the correct checksum. The csum flag
                     is equivalent to the combination icsum ocsum.

              seq, iseq, oseq
                     ( only GRE tunnels ) serialize packets.  The oseq flag
                     enables sequencing of outgoing packets.  The iseq flag
                     requires that all input packets are serialized.  The
                     seq flag is equivalent to the combination iseq oseq.
                     It doesn't work. Don't use it.

              encaplim ELIM
                     ( only IPv6 tunnels ) set a fixed encapsulation limit.
                     Default is 4.

              flowlabel FLOWLABEL
                     ( only IPv6 tunnels ) set a fixed flowlabel.

                     ( only IPv6 tunnels ) allow remote endpoint on the
                     local host.

       ip tunnel prl
              potential router list (ISATAP only)

              dev NAME
                     mandatory device name.

              prl-default ADDR

              prl-nodefault ADDR

              prl-delete ADDR
                     Add or delete ADDR as a potential router or default

       ip tunnel show
              list tunnels This command has no arguments.

SEE ALSO         top


AUTHOR         top

       Original Manpage by Michail Litvak <>

COLOPHON         top

       This page is part of the iproute2 (utilities for controlling TCP/IP
       networking and traffic) project.  Information about the project can
       be found at 
       If you have a bug report for this manual page, send it to,  This page was obtained
       from the project's upstream Git repository
       ⟨⟩ on
       2020-02-08.  (At that time, the date of the most recent commit that
       was found in the repository was 2020-01-29.)  If you discover any
       rendering problems in this HTML version of the page, or you believe
       there is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

iproute2                         20 Dec 2011                    IP-TUNNEL(8)

Pages that refer to this page: ip(8)