having run a 'pure' ipsec tunnel for some years now I was wondering if there
are more advantages in using a tunnel like gre(4),gif(4) or ehterip(4) over
ipsec except being able to set the mtu or pass Layer2 traffic?
If you don't see the advantages, chances that you dont *need* it. Adding
another encapsulation layer is seen as a bad move if you don't need it (more
fragmentation or more reduced mtu).
I have done setups with gif for L2 connectivity over internet (also a bad idea
but sometimes you dont have choices) and for handling easy ipsec redundancy.
Let me explain the last statement. I've build 2 tunnels from each remote to
main site, added gif encapsulation over ipsec. That mean I have 2 paths for the
same destiantion. In order to choose path automatically in a symetric way, I
used OSPF over gif to determine the best path. In this setup, gif/gre
encapsulation is mandatory because OSPF uses multicast to discover peers and
native IPSEC dont support it. OSPF also gave me route redistribution for free.
If you have only 2 sites, you can use other ways to check link connectivity
rather than OSPF. You can use GRE keepalives (careful, it is not supported on
Linux), ifstated to check and take actions in case of link failure or just
routes with different weights. OpenBSD gives you tools, you have the
responsability to understand them and find the best one for your usecase.
Thanks for your answer