Cisco IOS devices can use virtual tunnel interfaces (VTI) in order to create a GRE tunnel interface that is protected by IPSec.  Configuration of the encryption protection is performed from within the GRE tunnel interface.

You still need a pre-shared key, and other IPSec configuration options to match (such as ISAKMP policies and transform sets). 

I have not tested a VTI tunnel using NAT or PAT.  (I believe that PAT is incompatible with VTI connections, because all traffic uses GRE packets, which cannot be port address translated.)