hi all,

i'll be configuring a CE router which has VRFs and GRE tunnels for management and customer VLANs back to our core.

i'll also configure a S2S VPN with GRE/IPsec between the CE router and ASA.

would like to quickly ask, do i apply the crypto map to the main physical interface facing ISP or to the individual GRE tunnels/VRFs.

see attached rough diagram and config snippet below.

interface Tunnel100  <<< SAME TUNNEL CONFIGURED ON CORE TUNNEL WITH REVERSED TUNNEL CONFIG AND IP ADD
 description ### Tunnel to Core Mgt VLAN ###
 ip address 172.27.191.254 255.255.255.252
 ip tcp adjust-mss 1436
 tunnel source 1.1.1.2
 tunnel destination 2.2.2.2

interface Tunnel200
 description ### Tunnel to Core - CUSTOMER A ###
 ip vrf forwarding CUSTA
 ip address 172.27.191.250 255.255.255.252
 ip tcp adjust-mss 1436
 tunnel source 172.27.191.254
 tunnel destination 172.27.191.253

interface GigabitEthernet0/1  
 description ### To ISP Modem ###
 ip address 1.1.1.2 255.255.255.0
 crypto map CMAP   <<<
 

ip route 2.2.2.2 255.255.255.255 1.1.1.1   <<< CORE IP
ip route 2.2.2.14 255.255.255.255 1.1.1.1  <<< TO CORE ASA
ip route 0.0.0.0 0.0.0.0 172.27.191.253
ip route vrf CUSTA 0.0.0.0 0.0.0.0 172.27.191.249

crypto isakmp policy 10
 encr 3des
 hash sha
 authentication pre-share
 group 2

crypto isakmp key cisco123 address 2.2.2.14

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

ip access-list extended CE_TO_CORE
 permit ip 172.27.191.0 0.0.0.255 172.0.0.0 0.255.255.255
 permit ip 10.48.32.0 0.0.0.255 10.0.0.0 0.255.255.255

crypto map CMAP 10 ipsec-isakmp
 set peer 2.2.2.14
 set transform-set TSET
 match address CE_TO_CORE