I paused a bit during my QoS study and hitting this qos pre-classify command. My question is, why would we need GRE/Tunnelling to create IPSec VPN? I managed to get my IPSec VPN working without GRE/Tunnelling and it keeps me even wondering why.

I’d been searching everywhere but I guess I didn’t get the right keyword to match. Apparently, multicast ipsec were the keywords as I found it on Cisco Doco.

IPsec Deployment with Point-to-Point GRE

Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:

• IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.
• IPmc [IP Multicast] is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this mode of operation.

Until the introduction of IPsec Virtual Tunnel Interface (VTI), IPsec tunnels were not logical tunnel interfaces for routing purposes. A point-to-point (p2p) GRE tunnel, on the other hand, is a logical router interface for purposes of forwarding IP (or any other network protocol) traffic. A tunnel interface can appear as a next-hop interface in the routing table.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/V3PNIPmc.html#wp349808