In a hub-and-spoke IPSec environment, it's not hard to set up routing from spoke to hub.
But on the hub end of a tunnel, where lives the gateway of last resort for traffic from the spoke, it seems almost counter-intuitive that the crypto ACL and peer statements don't implicitly create a route for traffic from the hub into the tunnel to the far end (spoke). It could always be overridden with a static if necessary.
There's probably a good reason for this, but I can't think of it. Or am I the only person who thinks it odd...or perhaps a feature opportunity?
This feature exist and is called reverse-route injection. The route is dynamically created (based on the crypto ACL) and is available only when the SA is up.