It is my understanding that in a RAP <-www-> MC enviroment the RAP establishes a IPsec-Tunnel over the Internet in which it communicates with the controller.
Are the following scenarios with tunneled mode correct?
I. The Control Plane Traffic over PAPI is encrypted again inside the aforementioned "outer" IPsec-Tunnel with another IPsec tunnel?
II. User Traffic from a wired port on the RAP is also encrypted again in another IPsec-Tunnel inside the "outer" IPsec-Tunnel?
III. User Traffic via WLAN is encrypted by the client itself via WPA2 and is then routed through the "outer" IPsec-Tunnel via a GRE-Tunnel? (If I understood it correct, there is an option to "double encrypt", so that this WPA2 encrypted traffic can also be encrypted again at the RAP via another IPsec-Tunnel inside the "outer" IPsec-Tunnel).
IV. If I.-III. is wrong: The RAP establishes an "outer" IPsec-Tunnel and just puts the wired traffic, the Data Plane Traffic and the WLAN Traffic in multiple unencrypted GRE-Tunnels inside the "outer" IPsec-Tunnel?