TCP Traffic, SSL or extra Tunnel

I have a situation where we (as a SaaS vendor) are migrating one of our clients away from their local premise to our public SaaS.

However as a security concern they want to route all their TCP traffic over an IPSEC Tunnel to our application. Now i’m not very familiar with doing that (i’ve done it once) and i don’t believe in just doing things like that quickly.

But it makes me wonder, is that really neccesary if we already use a strong TLS1.2 encryption on the webserver? I constantly check to ensure we keep an A+ score on ssllabs.com/ssltest and i’m wondering if that isn’t secure enough?

Obviously i can understand that adding an extra layer of encryption will always be more secure. But i want to see if there is an argument to be made for the pros and cons of this.

Is there anyone who has any insight into this?