Hello Tom
Applying the crypto map directly to the GRE tunnel interface is not typically done because of the way that GRE and IPsec interact.
GRE is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. However, GRE itself doesn’t provide any encryption.
On the other hand, IPsec provides encryption and authentication at the network layer. It’s commonly used in conjunction with GRE to secure the data that’s being transported within the GRE tunnel.
When we apply the crypto map to the physical interface, the router will encrypt the GRE and the encapsulated data payload. This means that the entire GRE packet (including the GRE header) will be encrypted, which enhances the security of the data being transported.
If we apply the crypto map directly to the GRE tunnel interface, only the payload within the GRE tunnel (not the GRE header itself) would be encrypted. This could potentially expose more information to potential attackers and provide less overall security. Does that make sense?
I hope this has been helpful!
Laz