Protocol used in IPSec packet encapsulation and decapsulation on the USG2000 and USG5000 series

The supported detection packet protocol types include TCP, ICMP, HTTP, DNS, and RADIUS. If service types provided by the server are beyond these five types, you are advised to use ICMP packets to check the server reachability.

1. Upon receiving an IP packet over an interface connected to the IP network, the firewall enables the IP processing part to process the IP packet. 2. The IP processing part checks the destination address in the packet header to determine the forwarding mode. If the packet needs to pass through the GRE tunnel to arrive at the destination, the IP processing part sends the packet to the corresponding tunnel interface. 3. Upon receiving the packet, the tunnel interface encapsulates the packet with a GRE packet header and then returns the packet to the IP processing part. 4. The IP processing part encapsulates the GRE packet with a new IP packet header (the source address is the tunnel source interface IP address and the destination address is the tunnel destination interface IP address), and forwards the encapsulated IP packet over the physical port connected to the Internet based on the destination address and routing table.

1. Upon receiving an IP packet over the physical port connected to the Internet, the firewall checks the destination address of the packet. If the destination address is the firewall address and the protocol number in the IP packet header is 47 (indicating an encapsulated GRE packet), the firewall removes the IP packet header and enables the GRE protocol processing part to process the packet. 2. After checking and recognizing keywords, the GRE protocol processing part removes the GRE packet header and enables the IP processing part to process the packet. 3. The IP processing part forwards the packet to the IP network.