Which transport protocol is used to secure the SD-WAN overlay across the Internet?

IPsec provides encryption for the SD-WAN overlay across the Internet. It creates a secure tunnel between SD-WAN edge devices, encapsulating and protecting all overlay traffic as it travels over the untrusted public network. This tunnel offers confidentiality, integrity, and mutual authentication, ensuring that data remains private and unaltered between sites. In SD-WAN deployments, the data plane is often carried through IPsec tunnels, which is why IPsec is the transport used for securing the overlay. TLS is typically used to secure specific application or management traffic, not the entire data-plane overlay across the Internet. GRE is a tunneling protocol that by itself does not provide encryption. CAPWAP is designed for wireless access point management, not for securing an SD-WAN overlay across the Internet.