Cisco IOS devices can use virtual tunnel interfaces (VTI) in order to create a GRE tunnel interface that is protected by IPSec. Configuration of the encryption protection is performed from within the GRE tunnel interface.
You still need a pre-shared key, and other IPSec configuration options to match (such as ISAKMP policies and transform sets).
I have not tested a VTI tunnel using NAT or PAT. (I believe that PAT is incompatible with VTI connections, because all traffic uses GRE packets, which cannot be port address translated.)