Well, you can, but it would be a bad idea in most cases. IPsec encryption is done down in the IP layer of the Internet protocol suite’s protocol stack, which is too low a layer to let the user know if it is running. Some routers support IPsec, and some don’t. You don’t know if the other party supports IPsec, so some connections will be not encrypted, and you would never know it. If you don’t know for sure whether the call is encrypted, what good is it? It’s better to do the encryption at the application layer, so that the user can be told if the call is encrypted.