To emphasize, this is not a trivial point - I have had many times when my recommendations to clients would be to encrypt the channel, e.g. with SSL - however they dont have access to source code, or SSL is not supported by vendor, etc - and IPsec is basically drop-in encryption (as far as the app is concerned) and totally out of view of the app. Very secure, if implemented correctly