The idea is to get a thick and failsafe tonnel with any available protocols and then secure TCP\IP inside with ipsec.
I did it the most ugly way in paint 
EoIP interfaces then bonded and the IP is set for the bonding interface and routing applied.