diff --git a/manpages/shorewall-tunnels.xml b/manpages/shorewall-tunnels.xml
index 946d8c457..193691994 100644
--- a/manpages/shorewall-tunnels.xml
+++ b/manpages/shorewall-tunnels.xml
@@ -32,10 +32,10 @@
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">TYPE</emphasis> — {{<emphasis
-        role="bold">ipsec</emphasis>|<emphasis
-        role="bold">ipsecnat</emphasis>}[<emphasis
+        <term><emphasis role="bold">TYPE</emphasis> — {<emphasis
+        role="bold">ipsec</emphasis>[<emphasis
         role="bold">:noah</emphasis>]|<emphasis
+        role="bold">ipsecnat</emphasis>|<emphasis
         role="bold">ipip</emphasis>|<emphasis
         role="bold">gre</emphasis>|<emphasis
         role="bold">pptpclient</emphasis>|<emphasis
@@ -51,11 +51,25 @@
         role="bold">:</emphasis><emphasis>port</emphasis>]}</term>
 
         <listitem>
-          <para>If the type is <emphasis role="bold">ipsec</emphasis> or
-          <emphasis role="bold">ipsecnat</emphasis>, it may be followed by
-          <emphasis role="bold">:noah</emphasis> to indicate that the
-          Authentication Header protocol (51) is not used by the
-          tunnel.</para>
+          <para>Types are as follows:</para>
+
+          <programlisting>        <emphasis role="bold">ipsec</emphasis>            - IPv4 IPSEC
+        <emphasis role="bold">ipsecnat</emphasis>         - IPv4 IPSEC with NAT-Traversal (UDP port 4500 encapsulation)
+        <emphasis role="bold">ipip</emphasis>             - IPv4 encapsulated in IPv4 (Protocol 4)
+        <emphasis role="bold">gre</emphasis>              - Generalized Routing Encapsulation (Protocol 47)
+        <emphasis role="bold">pptpclient</emphasis>       - PPTP Client runs on the firewall
+        <emphasis role="bold">pptpserver</emphasis>       - PPTP Server runs on the firewall
+        <emphasis role="bold">openvpn</emphasis>          - OpenVPN in point-to-point mode
+        <emphasis role="bold">openvpnclient</emphasis>    - OpenVPN client runs on the firewall
+        <emphasis role="bold">openvpnserver</emphasis>    - OpenVPN server runs on the firewall
+        <emphasis role="bold">generic</emphasis>          - Other tunnel type</programlisting>
+
+          <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
+          be followed by <emphasis role="bold">:noah</emphasis> to indicate
+          that the Authentication Header protocol (51) is not used by the
+          tunnel. Given that nat-traversal only support ESP (protocol 50),
+          <emphasis role="bold">ipsecnat</emphasis> tunnels don't need a
+          <emphasis role="bold">noah</emphasis> option.</para>
 
           <para>If type is <emphasis role="bold">openvpn</emphasis>, <emphasis
           role="bold">openvpnclient</emphasis> or <emphasis