Tunnel interface is virtual interface, and IPSec is on top of the GRE tunnel, ie: GRE tunnel is encapsulated inside the IPSec tunnel, therefore you would need to set the physical ip address as the peer address.
It boils down to the age-old question: Which comes first, the chicken or the egg?
In IPSec using VTI the three phases of IPsec comes first. Once they've agreed on the security principle, the tunnel follows next followed by your routing protocols. Once these are agreed then data traffic starts to traverse the network.
A little. Because when set through the tunnel via transport mode, the payload down't have an IPSec IP header ( atleast I think so. I'll have to check my notes) and just the payload is encrypted down the GRE tunnel. I'm also assuming that it's the crypto ACL that defines which interesting traffic is encrypted through IPsec and thus the GRE tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...