Hello Yuta
So to reiterate, the tunnel mode ipsec ipv4 command configures the encapsulation. What does that mean? It may help to take a look at what we mean when we say encapsulation.
Now there is the option that I spoke about before, where you can use the following commands:
tunnel mode gre
tunnel protection ipsec profile profile_name
and the tunnel would be encrypted. This is because the first command deals with encapsulation while the second deals with the encryption.
Now if the commands are as follows:
tunnel mode ipsec ipv4
tunnel protection ipsec profile profile_name
then the encapsulation is ipsec as well. Now the IPSec encapsulation involves the entire original IP packet being encapsulated with a new packet header added. Protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected.
I hope this has been helpful!
Laz