Before we start our first configuration, you need to understand the security provided with a properly (and even improperly!) configured IPsec tunnel. To protect against various types of attacks, such as spoofing attacks, an IPsec peer that has been configured to talk to a remote host using IPsec will not talk to that peer without encryption, except for those packets needed to set up the IPsec tunnel, such as IKE packets.
If you are configuring IPsec, you are normally working locally on one endpoint, and have one remote endpoint. A secure login, usually using SSH, is used to configure the remote endpoint from the local one. Once both ends are configured, the IPsec subsystem can be started on both sides.
So imagine what happens if you made a mistake on the remote endpoint. The IPsec tunnel will fail to establish. It will refuse all cleartext packets from the local endpoint except IKE. This means you can no longer log in to the remote endpoint using SSH to fix its...