People here sorry .... i found the solution and it's listed here:
In IOS versions prior to 12.2(13)T, including all 12.2 mainline releases, in order to configure GRE over IPSec, that is, to encrypt GRE packets using IPSec as the L3 transport protocol, the crypto map needs to be applied to both the tunnel and the outbound physical interface. This requirement was historical when the initial IPSec implementation inherited it from Cisco Encryption Technology (CET), and has since been removed in 12.2(13)T and later. In this case the router could only do IPsec encryption after GRE encapsulation. The IPsec crypto ACL would be configured to match the GRE/IP encapsulated Data/IP packet, as shown here:
access-list permit gre host host
With the newer crypto implementation in 12.2(13)T and later, when a crypto map is applied to an interface, it always means crypto processing of the packet occurs before encapsulation on that interface, regardless of whether that is a physical interface or a GRE tunnel interface. This implies that for the GRE over IPSec configuration, the crypto map would only be applied to the outbound physical interface. It is no longer necessary to configure it on the tunnel. It also means now IPSec over GRE can be configured, that is, to transport IPSec packets inside of a GRE tunnel, by only applying the crypto map to the tunnel interface and configuring the IPSec crypto ACL to match data IP (clear-text) packets.