IPSEC and SQL

If you are connecting via an IPSEC tunnel, your traffic is going to be encrypted.

Are you establishing the tunnel via a Windows configuration or via VPN through your firewalls?

To clarify, IPSEC doesn't need certificates, it is just enabling Firewall configuration Inbound in SQL Server machine and outbound in SQL Server client machines.
Another method is via SSL, which needs certificates to be installed in both SQL Server machine and all Client machines.
So, I would refer you to check this article as it explains above 2 in more detail..
https://basitaalishan.com/2012/07/16/encrypting-connections-to-sql-server/

>> 1) Are certificates on both servers required

So, certificates for both Server and Client is required for enabling SSL and not for IPSEC.

>> 2) Is just setting the Firewall rule to access connections over IPSEC the only thing that is needed?

Yes, that's correct..
Few useful articles for this:
Server: https://sqlstarters.com/2014/01/23/ipsec-settings-for-the-sql-server/
Clients: https://sqlstarters.com/2014/02/05/ipsec-settings-for-the-client/

How can I verify that traffic is using the IPSec tunnel?

Well, you'll be accessing it via a LAN subnet for one.  In your firewall you can also have rules that block 1433 from WAN enabled so there isn't any confusion.

For the port listing how would i lock it down to 1433 only. The return traffic would probably use a range of higher ports correct? Also regarding the firewall, what ports are required> Finally the IPSec wizard only needs to be run on one of the two server in the IPSec tunnel correct?

You only need to set up IPSEC on one server if you're doing it in Windows and not via network appliance.  

An IPSEC tunnel is called a VPN because you are virtually joining the LAN.  So in your allow, you only need to be sure that LAN connections (the ones desired) can connect to the server on 1433.  Once your user is on the VPN they can use the LAN address to access SQL.

If you are additionally adding SSL, then you'd have to set up certs, but IPSEC does not require it.

SO setting up the IPSec tunnel would encrypt all traffic correct. I have read that you can us the Windows firewall to do this as well as seen here. What is the difference between using the Windows firewall and getting IpSec using Group Policy

>> How can I verify that traffic is using the IPSec tunnel?

Simple, check your Firewall inbound/outbound rules on server/client

>> For the port listing how would i lock it down to 1433 only

Both SSL and IPSEC works by locking or assigning to a particular port.
For SSL, you add certificates to both Server and Client and then encrypt the port and connection via the certificate.
For IPSEC, you will allow only this port via Firewall.
Either you do it via SSL or IPSEC, you would need to assign the port 1433 in Firewa

>> What is the difference between using the Windows firewall and getting IpSec using Group Policy

Using Group Policy, you can add these ports to Windows Firewall by your domain or Windows Admin by pushing these policies from Centralized location instead of configuring Firewall policies in individual Clients

So here is where I am confused. The requirement we have it to have SQL traffic be secure and with our setup Encrypted SQL connection in SQL cannot be used. The communication will between a front end server and back end SQL server both of which are running Windows 2012 R2.

1) Why would I use the Windows firewall method using SSL and certificate via IPSec via GP? Pro's / Con's
2) When doing the firewall method, does it have to be done on the frontend and backend server?

The requirement we have it to have SQL traffic be secure

Secure over LAN or WAN?

with our setup Encrypted SQL connection in SQL cannot be used

What precludes you from using SSL Encryption on the SQL server?