Thanks,

this is cisco TAC engineer answer:

You would like to also know if the tunnel interface with tunnel protection will work with crypto map on ASA.

The answer is that you need to use either:

• dVTI – dynamic VTI – in this case the ASR will always act as a responder and willl accept the proxy identity proposed by the peer (http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html#GUID-3FE994B8-86D7-4505-8BB7-BD41A1143B07),
• crypto map based IKEv2 – the configuration is a bit legacy, but it should work well when both sides can initiate a tunnel.

So if the tunnel will be negotiated only from ASA side I recommend to use dVTI, but if you need negotiate the tunnel from both sides you have to use crypto map on the ASR as well. If you choose sVTI the problem will be during the rekey, because a sVTI always uses 0.0.0.0 to 0.0.0.0 as proxy-identity set and the ASA will not like it.

I would probably phrase it by saying crypto maps are "mature technology" rather than saying "legacy".  And because you are trying to talk to an ASA that does not support dVTI you are more likely to have issues interfacing two different technologies.

If you use a crypto map then you are using the same technology at both ends.  Much less grief.