Whether the GRE can protect packets by encryption on the USG6000

The USG6000 does not support vertical encryption.

You can enable the packet capture function on the USG6000 as follows: 1. Enable the packet capture function through the CLI as follows: a. Define the packet capture range. In this example, packets from 192.168.1.0 are captured. system-view Enter system view, return user view with Ctrl+Z. [sysname] acl 3000 [sysname-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 [sysname-acl-adv-3000] quit b. Run the following command to put all IPv4 packets passing the interface and matching ACL 3000 to the packet sending queue. [sysname] packet-capture ipv4-packet 3000 interface GigabitEthernet 1/0/1 c. Start to capture packets. [sysname] packet-capture startup manual d. Save packets in the specified queue as file 1.cap on the device. The default directory is hda1:/. [sysname] packet-capture queue 0 to-file 1.cap e. After packet capture completes, terminate the packet capture process. [sysname] undo packet-capture startup f. Use FTP to download file 1.cap from the device, use the Wireshark to open the file, and analyze the captured packets.

1. Upon receiving an IP packet over an interface connected to the IP network, the firewall enables the IP processing part to process the IP packet. 2. The IP processing part checks the destination address in the packet header to determine the forwarding mode. If the packet needs to pass through the GRE tunnel to arrive at the destination, the IP processing part sends the packet to the corresponding tunnel interface. 3. Upon receiving the packet, the tunnel interface encapsulates the packet with a GRE packet header and then returns the packet to the IP processing part. 4. The IP processing part encapsulates the GRE packet with a new IP packet header (the source address is the tunnel source interface IP address and the destination address is the tunnel destination interface IP address), and forwards the encapsulated IP packet over the physical port connected to the Internet based on the destination address and routing table.

1. Upon receiving an IP packet over the physical port connected to the Internet, the firewall checks the destination address of the packet. If the destination address is the firewall address and the protocol number in the IP packet header is 47 (indicating an encapsulated GRE packet), the firewall removes the IP packet header and enables the GRE protocol processing part to process the packet. 2. After checking and recognizing keywords, the GRE protocol processing part removes the GRE packet header and enables the IP processing part to process the packet. 3. The IP processing part forwards the packet to the IP network.

GRE can be used to encapsulate multicast packets into unicast packets, but it can not encrypt packets