I think, an IPSec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPSec peers.

These interesting traffic are configured using access-lists.

show crypto map is the command used to view the defined acces list.

To view the tunnel initiator, I think any one of the following debug commands will be helpful.

debug crypto ipsec  Shows if a client is negotiating the IPSec portion of the VPN connection.

debug crypto isakmp  Shows if the peers are negotiating the ISAKMP portion of the VPN connection.

IPSec negotiation can be broken down into five steps, including two Internet Key Exchange (IKE) phases.

An IPSec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPSec peers.

In IKE Phase 1, the IPSec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using Internet Security Association and Key Management Protocol (ISAKMP).

In IKE Phase 2, the IPSec peers use the authenticated and secure tunnel to negotiate IPSec SA transforms. The negotiation of the shared policy determines how the IPSec tunnel is established.

The IPSec tunnel is created and data is transferred between the IPSec peers based on the IPSec parameters configured in the IPSec transform sets.

The IPSec tunnel terminates when the IPSec SAs are deleted or when their lifetime expires.