When sending an encrypted traffic from firewall to firewall, why does there a need to be an extra IP header? Why can’t the firewall simply encrypt the packet, leaving the source and destination as the original source and destination?

Because the encrypted payload contains the need routing information for the clients. If all we wanted to do was encrypt traffic between two hosts, we would not need to have the extra header, but, since we are creating an encrypted tunnel, the decrypted payload needs to be able to be processed on the network at either end of the tunnel.

Cheers,

Tom