Hi MHW

interface g0/0/1 has a private ip for point to point with the ISP

the public ip (also the peer from ASA site) is under vlan 1

but the traffic is default route toward g0/0/1, 
can I see show ip route 

here is the sh ip route

ROUTER#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/30 is directly connected, GigabitEthernet0/0/1
L 10.10.10.2/32 is directly connected, GigabitEthernet0/0/1
41.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 41.10.10.8/29 is directly connected, Vlan1
L 41.10.10.10/32 is directly connected, Vlan1
L 41.10.10.10/32 is directly connected, Vlan1
192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.50.0/24 is directly connected, Vlan1
L 192.168.50.1/32 is directly connected, Vlan1
ROUTER#

sorry but packet from VLAN1 192.168.50.0/24 go to specific destination pass through same interface it inter from ?
I think you need second VLAN X config 41.10.10.8/29 and config crypto map under this new VLAN X
under the VLAN1 config PBR if the traffic need to pass though VLAN X then the traffic will pass through VPN IPSec
if traffic need to go other destination then the traffic will forward via default route via g0/0/1

the interface Vlan1 has two ip, 41.10.10.10 which is the public ip and 192.168.50.1 which is secondary (default gateway for local PC).

the interface gi0/0/1 has private ip for Point-to-point with the ISP.

in this situation, where to attached the crypto map? i think only in the interface with public ip 

with the actual configuration, all pc has internet access.

friend the IPsec build tunnel when there is traffic egress the interface you config crypto map under it, Here the interface is ingress and egress in same time?? this my concern.
only check the config of other 2921  router and you will see how IPsec crypto is work.

Hi MHM, in my other r router 2921, the config is different, there are two interfaces, one with public ip where the crypto map is attached and the second interface with private ip which is the default gateway.

In the actual case, the public ip and the private ip (pc default gateway) are in the same interface (vlan 1). this is the issue.

how can i do with the cisco router C1121 ?

Hi Friend

attached is the diagram

Thanks MHM,

The issue was the with the interface vlan 1 which not used. just place the public ip under the same Gi0/0/1 as primary ip and the point-to-point private ip with ISP as secondary.

just put the Crypto map on that interface and the tunnel coming UP.

Thanks.