You caught me on my way out the door but I have done a great deal of ip-in-ip over ipsec or gre over ipsec. Check out http://lartc.org specifically http://lartc.org/howto/lartc.tunnel.ip-ip.html