I am having issues with setting up a Cisco router (actually several devices need to be done to include ISR 4331, 4321, 4221 and 1941 models) to add an additional IPsec VPN connection to the existing device and connect to a cloud hosted service provider.  I can get the setup working just fine on Zyxel and Fortigate devices without issues, but don't know the Cisco products well enough to know what I am missing in the CLI.

I have added the isakmp policies, transform set, access-list, bound to the WAN interface, etc. per Cisco documentation and it as if the device doesn't know how to find the correct route or attempt an IPsec connection to the cloud host from the device.  I cannot delete or alter the existing GRE tunnel yet, as it is pointing to another hosting provider in the cloud.  To further complicate things, I need to connect to the new host on a "staging subnet" until we migrate the VMs to the new host, then change the destination subnet on the new IPsec connection, to replicate the subnet from the old GRE connection, on a weekend when we cutover.

I deleted the items I have added from the running configuration and am starting from scratch to determine the best plan of action and to figure out if this is even possible.  I assume I can make a virtual interface (in this case i'm going to attempt to make tunnel 99) for the IPsec VPN and run it alongside the existing tunnel 1124, but the gateway of last resort and the route table that were setup prior to me looking at the configuration seem foreign to me in the way that they operate, since I didn't set any of this up originally.  I figured the VTI was the way to go since I couldn't just bind an IPsec VPN connection to the WAN interface and get it to work.  Maybe it can be done, but I don't know how to properly route it through the gateway of last resort.

Any assistance the community can provide would be appreciated.

Below I have attached the current config, redacting any private information.