I am in the middle of testing IPSec over GRE. The kind of requirement that I have wants me to run IPSec over GRE interface ONLY and not on physical interface.
During the course of my testing, I found out that as long as I have IPSec configured both on my physical and tunnel interface, the end to end ping is working and the ipsec sa command shows the packets being encrypted and decrypted showing that encryption is also working.
However, when I remove the crypto map from the physical interface and it is still configured on the tunnel inteface, my end to end ping still works but my encryption stops. I cannot see any packets being encrypted/decrypted.
Does that mean that for the encryption to work on GRE tunnel, one MUST have the crypto maps applied on the physical interface ALSO?
So, if there is no IPSec on physical interface, effectively there is no encryption happening even though you have configured it on the tunnel interface.
Is that the way it works?