I think it get solution 

Underlying 1 

R1 To R2 abd R2 to R3

Underlying 2 

GRE tunnel between R1 abd R2 advertise IP that use for ...

... overlaying 1 GRE tunnel (protect by IPsec) between R1 and R3

MHM

Because of the reliance on the existing gre tunnel. Causes an encapsulation problem from R1->R3

Because of the reliance on the existing gre tunnel. Causes an encapsulation problem from R1->R3 <<- can you elaborate 

MHM

Quick answer is put a tunnel from R1 to R3 then r1 encapsulates original tunnel and then the new tunnel. From R3 it’s just wrapped in the new tunnel. 

I dont get again

Which crom these below layer can not config?

Underlying 1 

R1 To R2 abd R2 to R3

Underlying 2 

GRE tunnel between R1 abd R2 advertise IP that use for ...

... overlaying 1 GRE tunnel (protect by IPsec) between R1 and R3

So implementing vti:

r3 sends traffic to r1 by encapsulating it in the new IPsec tunnel and sends it off to the next hop on the point to point connection which is r2, no issue. 

The return traffic from r1:

encapsulates it in the new IPsec tunnel, how do I get to r3? Oh existing gre tunnel. Adds second encapsulation and sends off to r2. 

To elaborate further the r3 connection to r2 is a /30, it’s a leased line. 

The connection from r1 to r2 is a /29 using rfc1918 addressing from that isp. 

r1 gi0/0 192.168.5.154/29

Ip route 192.168.5.144 255.255.255.248 gi0/0 192.168.5.155

r2 gi0/0 192.168.5.146/29

ip route 192.168.5.152 255.255.255.248 gi0/0 192.168.5.145

gre is r1 192.168.5.154 to 192.168.5.146

that tunnel is the only path for r1 to r3 in the current topology. So that tunnel must exist. So adding a tunnel from 1->3 creates a double encaps from r1. 

if there’s a better way to do the underlay?

or another similar tunnel added to the underlay from r3 to r2 so both sides are symmetrical?  

then a tunnel over the top with double encapsulation at either end?

Interesting I can’t see this diagram unless I log off my profile. Anyway yes that is 100% the topology. I’m not clear on what you mean by the route statements. 

R1 use static route using egress gre tunnel to learn far R3 LO 

R2 use same to learn R1 LO 

R3 use static route egress direct connect to R2 to learn R1 LO 

R2 use static route egress direct connect to R3 to learn R3 LO 

Now R1/R3 LO is known by R1 and R3 

We run gre tunnel using these LO as source/dest 

That it 

MHM

R1 use static route using egress gre tunnel to learn far R3 LO

• ip route 3.3.3.3 255.255.255.255 next hop Tunnel0 or R2 tunnel addr?

R2 use same to learn R1 LO 

• ip route 1.1.1.1 255.255.255.255 next hop tunnel0 or R1 tunnel addr?

R3 use static route egress direct connect to R2 to learn R1 LO 

• r1 gi0/0 is 10.10.10.1/30
• r2 gi0/1 is 10.10.10.2/30
• Ip route 1.1.1.1 255.255.255.255 10.10.10.2?

R2 use static route egress direct connect to R3 to learn R3 LO 

• just the reverse of r3 to r2?

Now R1/R3 LO is known by R1 and R3 

We run gre tunnel using these LO as source/dest 

New tunnel 2 on r1

tunnel source 1.1.1.1

Tunnel dest 3.3.3.3

Reverse that for r3 of course. 

that’s all the new stuff. The underlay would just be the existing working current config right?

• ip route 3.3.3.3 255.255.255.255 next hop Tunnel0 or R2 tunnel addr? Ip route 3.3.3.3 255.255.255.255 tunnel 0
• ip route 1.1.1.1 255.255.255.255 next hop tunnel0 or R1 tunnel addr? Ip route 1.1.1.1 255.255.255.255 tunnel0

R3 use static route egress direct connect to R2 to learn R1 

In R3

Ip route 1.1.1.1 255.255.255.255 <R2 Ip of interface connect to R3>