FYI, I have recorded NetFlow on my tunl0 interface that appears to be NESTED IPENENCAP packets. I have also seen these previously.
I have had a rule in place to log and drop these for ages, and I have not seen them recently at our gateway. As pointed out, they are configuration errors, e.g. because people put 44net addresses as tunnel endpoint address and policy routing is sending the traffic into a tunnel instead of direct on the interface.
Other misconfigurations can result in recursive encapsulation. I believe I added the rule when there was an incident resulting in many-level encapsulated IPIP packets that only were limited by the MTU.
When you are worried about intrusions it is probably more effective to block IPIP packets from sources that are not in the gateway list. I do that as well (via ampr-ripd).
Rob