Tunnel-group based GRE tunnels can be protected by applying IPsec transport mode encryption for the GRE tunnel packets. This is achieved by configuring an IPsec transport mode profile under the IP tunnel configuration. When the profile is enabled, the data path flow as follows in the private to public direction:
The payload packet is received on the private tunnel SAP.
Optionally perform pre-encapsulation fragmentation based on the payload packet size and ip-mtu configuration under the ip-tunnel context
The payload packet is encapsulated into a GRE tunnel packet.
The IPsec transport mode encryption is applied on the GRE tunnel packet which results in an IPsec ESP packet.
Optionally perform post-encapsulation fragmentation based on the ESP packet size and the configured encapsulated-ip-mtu under the ip-tunnel context
In the public to private direction, the data path flows as follows:
The IPsec ESP packet is received on the public tunnel SAP.
ESP packet reassembly is performed if it is fragmented.
The ESP packet is decrypted, which results as a GRE tunnel packet.
The GRE tunnel packet is decapsulated and the payload packet is forwarded out of the private tunnel SAP.
This feature uses IKEv2 to create an IKE_SA and a transport mode CHILD_SA for a specific GRE tunnel. The IKE/IPsec behaves similarly to an IPsec static LAN-to-LAN tunnel, with some transport-mode specific differences.