Before the router encrypts data it must successfully negotiate the Key and Encryption Domain.
Are you getting a successful phase 1 negotiation?
If you do a "show crypto isa sa" does your router show QM_IDLE with the peer.
In your Source / Dest columns is it using your outbound ISP address or the GRE Source address? (i.e Did the default mode change Tunnel vs. Transport modes)
~ron
CCNP, CCDA, CNE