why you use GRE/IPSec, 
you already have reachability 
config the BGP with LO as update source 
and then config crypto map under this LO. 

Hello

---

@S Kumar wrote:

MPLS provider will deliver a RJ45 link to us as well as towards our customer. RJ45 will be connected our Cisco 3650 which is a gateway for our devices. I need to configure GRE tunnel with IPSEC on my 3650.

---

The underlay will be indeed the mpls connection between both sites if you want to build an overlay (tunnel), however Im not so sure the 3650 supports ipsec?

Anyhow if you are able to create this tunnel, you will then need to specify certain traffic to be policy routed over this tunnel to achieve the encryption required.

"Or is it transparent to MPLS provider and I can treat this link as P2P link?"

Likely this is the case.  I.e. you just configure an GRE/IPSec tunnel, P2P, or perhaps using DMVPN (which is best depends on your IPSec needs between sites).

As other posters have mentioned, you do need to insure your 3650 supports GRE tunnels (don't know, myself; earlier Catalyst 3Ks didn't) and supports IPSec across such tunnels (dido), included whatever level of IPSec security (strength) is required.

BTW, a major gotcha of GRE/IPSec is the reduction in IP MTU often leading to fragmentation.  I.e. you want to be aware of how to mitigate fragmentation's impact, which, cannot often be totally eliminated for all traffic kinds.  (NB: if you're not doing jumbo Ethernet now, and don't plan to, but your MPLS provider supports jumbo Ethernet, that can be used to totally eliminate fragmentation across your tunnel.)

I have Cisco3650 on both sites running on IOS 16.6.7-ipservicesk9. I have the following config and both sites have the readability.

Tunnel interfaces are up, tunnel is up. Both tunnel ip addresses are able to ping each other.
Interesting traffic is able to flow via the tunnel. I know this becuase traceroute results changes as soon as the tunnel is up.
"show cry ipsec sa" shows that there is no encaps/decaps. Tunnel interface show that there is no packet in/out.

Does  anyone know for sure if GRE with IPSEC is supported on C3650?
If it is supported, anything wrong with my config?

SITE # 1

!
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 5
crypto isakmp key MySecretKey address 10.200.200.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TSET
!
interface Tunnel0
ip address 10.99.99.1 255.255.255.252
tunnel source Vlan100
tunnel destination 10.254.200.29
tunnel key 1
tunnel protection ipsec profile IPSEC-PROFILE
!

ip route 192.168.200.10 0.0.0.0 Tunnel0

!
interface Vlan100
description MPLS-PROVIDER
ip address 10.254.100.29 255.255.255.252
end

router bgp 64100
bgp log-neighbor-changes
network 192.168.100.0 mask 255.255.255.0
network 10.254.100.28 mask 255.255.255.252
neighbor 10.254.100.30 remote-as 1234
neighbor 10.254.100.30 description MPLS_PROVIDER

SITE # 2

!
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 5
crypto isakmp key MySecretKey address 10.200.200.2
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TSET
!
interface Tunnel0
ip address 10.99.99.2 255.255.255.252
tunnel source Vlan200
tunnel destination 10.254.100.29
tunnel key 1
tunnel protection ipsec profile IPSEC-PROFILE
!

ip route 192.168.100.10 0.0.0.0 Tunnel0

!

!
interface Vlan200
description MPLS-PROVIDER
ip address 10.254.200.29 255.255.255.252
end

router bgp 64200
bgp log-neighbor-changes
network 192.168.200.0 mask 255.255.255.0
network 10.254.200.28 mask 255.255.255.252
neighbor 10.254.200.30 remote-as 12345
neighbor 10.254.200.30 description MPLS_PROVIDER