Creating IPsec tunnels
In the Encryption policy - Tunnels tab of the VPN > IPsec VPN module, click on Add and select Site-to-site tunnel. Fill in the various fields suggested by the tunnel creation wizard and confirm:
Local network: select the physical interface bearing the GRE tunnel (Firewall_out in the example).
Remote network: select an object bearing the public IP address of the remote firewall.
Peer selection: create (or select it if it exists) a peer whose remote gateway will be an object bearing the public IP address of the remote firewall.
For further detail on how to create a peer using authentication by pre-shared key or certificates, please refer to the documents IPsec VPN - Authentication by pre-shared key and IPsec VPN - Authentication by certificate.
The version of the IKE protocol for this peer has to be the same as:
the one used on the remote firewall,
the one for the peers used in the other rules of the IPsec policy in question.
In order to prevent the setup of IPsec tunnels for protocols other than GRE and thereby preventing the encryption of traffic such as ICMP (ping), the GRE protocol can be specified in the Protocol column. If this column does not display, roll your mouse over the title of any column and expand the pop-up menu by clicking on the arrow. Select Columns then check Protocol:
The IPsec VPN policy will therefore resemble:
Since the firewall initiated the sending of GRE network packets, filter rules therefore do not need to be created for this protocol.