As you understand, there are 2 ways to use IPSec with GRE. One GRE inside IPSec (this is the most oftenly used) and IPSec inside GRE. Your option A is the case of IPSec inside GRE and option B is the case of GRE inside IPSec.
You would require GRE inside IPSec when you want to non-IP packets or multicast packets to be encrypted and sent over a tunnel. This is because IPSec can encrypt only unicast traffic. For eg: A routing protocol like RIP uses multicast for communicating with RIP enabled routers. In this case, the multicast traffic is first encapsulated with GRE(which will turn the multicast packet to unicast packet by changing the source and destination address as the tunnel source and destination address) and then IPSec is applied on it.
The necessary rule of thumb is:
For GRE inside IPSec tunnel, use only GRE as the protocol and the GRE tunnel end points as the traffic source and destination in the crypto ACL.
For IPSec inside GRE tunnel, use only IP as the protocol and only hosts as the traffic source and destination in your crypto ACL.
Hope that is clear. Let me know if you have more questions.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...