I've been struggling with understanding the configuration of an ipsec tunnel between a 5506x ASA and AWS native VPN gateway. The ASA is set up for a route based VTI ipsec and the ipsec tunnel is negotiating and coming up fine, its just that the AWS side (I don't have control over) seems to be configured up for policy based VPN.

When I do a show crypto ipsec sa detail command instead of seeing the 0.0.0.0/0 I expect for the local and remote identity I see policy based encryption as my local subnet and the remote subnet in AWS (the subnets that need to be encrypted) are displayed. I have no configuration for any crypto maps or ACLs for encrypting interesting data, so I'm just confused how my ASA is using policy based ipsec even when its configured with VTI and a crypto ipsec profile. I also cannot ping the other end of the VTI, and I know for sure you can ping VTI interfaces on AWS so this suggests further its a policy based vpn.

So my question is, can one end point be running a policy based vpn while the other end point is running a route based vpn, and can the policy based vpn force its configuration/policy onto the other end of the tunnel?