Absolutely correct. IPSec tunnel does not support encrypt/decrypt of multicast traffic, therefore if you need to pass routing protocols through IPSec tunnel, it needs to be encapsulated in GRE first prior to being encrypted in ESP.
If you have R1 and R2 connected directly, they can participate in dynamic routing protocols in clear text. However, if you need the routing protocols to be encrypted, you still need to encapsulate it in GRE prior to being encrypted.
I do feel that GRE is a real work around, I do remember a scenario of OSPF, which have a rule that all areas should be connected directly to area 0. and when the scenario violates this rule, we can use a virtual link, I think in that case also we use GRE ??
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...