GRE and IPSec
When you apply the crypto map on the tunnel interface, you are employing IPSec over GRE while when you apply it on the physical interface, you are employing GRE over IPSec. Yes both do work, but it must be understood that they do different things.
- IPSec over GRE: outer header is GRE, so IPSec is being encapsulated within GRE. This means that only the payload will be encrypted, and not the GRE header.
- GRE over IPSec: outer header is IPSec. This means that the whole packet including both GRE header and payload will be encrypted.