Scenario:

Build a backup path over an IPSec tunnel across a 4G card.
Both, primary and the 4G links are on the same router and they both terminate on the same firewall(fortigate) on the other end.

My initial plan was to use a front door VRF to build the underlay network and then on top
create a tunnel(gre/vti) interface in the global which will be used to send the traffic across while beeing encrypted with an IPSec profile.

Few things important to be mentioned here
 1. 4G card is behind a NAT and the outbound public IP is not static.
 2. For the firewall I have a fortigate building an on-demand IPSec tunnel.  
    This type of tunnel is similar to a tunnel built from a phone to a firewall where your source is also behind a NAT.


==============================================================================
Following config ensure Internet access over the 4G card

==============================================================================

!
interface Cellular0/1/0
 vrf forwarding INET
 ip address negotiated
 ip nat outside
 dialer in-band
 dialer-group 1
!
interface Loopback10
 vrf forwarding INET
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
ip route vrf INET 0.0.0.0 0.0.0.0 Cellular0/1/0
!
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
!
ip nat inside source list NAT interface Cellular0/1/0 vrf INET overload
!
==============================================================================

Internet access testing over the 4G

==============================================================================
#ping vrf INET 8.8.8.8 so lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/59/97 ms

#show cellular 0/1/0 profile
Profile password Encryption level: 7

Profile 1 = ACTIVE* **
--------
PDP Type = IPv4
PDP address = 10.109.112.58
Access Point Name (APN) = telstra.internet
Authentication = None
        Primary DNS address = 10.5.209.36
        Secondary DNS address = 10.5.80.241
        Primary DNS IPV6 address = 0
        Secondary DNS IPV6 address = 0

==============================================================================

Now with the 4G card up and running i start building the IPSec tunnel across.
==============================================================================

!
crypto keyring Ipsec-KEY vrf INET
  pre-shared-key address 1.2.3.4 key cisco
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile Ipsec-PROFILE
set transform-set ESP-AES-256-SHA
!
interface Tunnel100
 ip address 192.168.100.254 255.255.255.0
 tunnel source Cellular0/1/0
 tunnel mode ipsec ipv4
 tunnel destination 1.2.3.4
 tunnel vrf INET
 tunnel protection ipsec profile Ipsec-PROFILE
!
==============================================================================

At this stage i can see the IPSec tunnel built on both ends(router and the firewall) however, the tunnel interface is still line protocol down.

==============================================================================

show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.2.3.4         10.109.112.58   QM_IDLE          16152 ACTIVE

#show int tun100
Tunnel100 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 192.168.100.254/24
  MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - linestate protection reg down
  Tunnel source 10.109.112.58 (Cellular0/1/0), destination 1.2.3.4
   Tunnel Subblocks:
      src-track:
         Tunnel100 source tracking subblock associated with Cellular0/1/0
          Set of tunnels with source Cellular0/1/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  <output omitted>


==============================================================================

CONCLUSION:


Based on the current status on this scenario, the only missing part on this to work is the Tunnel interface which still has the line protocol down. Once this done, i can add routes for the backup traffic across the tunnel.