[eth [ip [tcp/udp [data] ] ] ] [eth [ip [esp [tcp/udp [data] ] ] ] ] [eth [ip [esp [xxxxxxxxxxxxxxx] ] ] ]
This mode is most efficient, but the endpoints are obvious. Traffic analysis is made easier.
[eth [ip-in [tcp/udp [data] ] ] ] [eth [ip-out [ip-in [tcp/udp [data] ] ] ] ] [eth [ip-out [esp [ip-in [tcp/udp [data] ] ] ] ] ] [eth [ip-out [esp [xxxxxxxxxxxxxxxxxxxxxxxx] ] ] ]
This mode is less efficient, but hides the nature of the networks behind a Security Gateway. The traffic of several networks can be concealed in one tunnel, making traffic analysis much more difficult. It can be argued that pushing a news feed through a tunnel that is used for other things is a "Good Thing".