So it's completely awesome that the preshared key option was added to IPIP setup, which automatically creates all of the tedious IPSec configuration parameters.
But... how does this work (and it does work*) without 500 (IKE) and 4500 (IPSec NAT) open on the firewall? i.e., everything is configured except the firewall rules. Does preshared key not require the firewall to be opened? Is it because the tunnel attempts to connect from both ends at the same time so the masquerade NAT just handles the incoming connection because of the outgoing connection?
* To be fair, the tunnel is up, and works. But I have not used a sniffer to see that IPSec is actually working as advertised.