A crypto ACL is used to identify traffic that requires crypto treatment.
IPSec traffic is "encapsulated". It is not necessarily "encrypted". It is dependent on the policy you define.
e.g.: You could use Authentication Header (AH) protocol instead of ESP, in which case you would benefit from the "authentication" of data, but no "encryption" would be performed.
Only traffic matching a "permit" statement in the crypto ACL would be "encapsulated", and be considered part of the tunnel.
Traffic matching a "deny" statement in the crypto ACL would bypass the crypto engine, but may be forwarded "outside" the tunnel if a route to the destination address is known, and the address is routable.
A packet with a "private" destination IP address would have trouble traversing the Internet.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...