Many discussions and many questions about GRE over IPSec Crypto map versus Tunnel Protection (IPsec Profile). The old method versus the new method.
Cisco introduced the concept of tunnel protection in the OLD course SIMOS for VPN which is now replaced by the SVPN course.
In the old method, an extended ACL must be defined to match which traffic will be encrypted, since we GRE as the encapsulation protocol for all IP packet, traditionally we used an ACL (100 in our scenario) to match the GRE packet sourced from 220.127.116.11 in our case and destined to 18.104.22.168 (in our scenario) because all traffic that goes through the tunnel will encapsulated with the Public IP header defined in the tunnel source and tunnel destination command under the tunnel interface.
Then after setting this ACL, we need the popular crypto map for phase 2 IPsec, under the crypto map, we put in the past mainly the ACL using the set address 100 command and set peer 22.214.171.124 command, and the transform set using the set transform-set command, finally we apply the crypto map on the physical interface.
Now, why moving to Tunnel Protection or IPsec Profile?, simply because when we use IPsec with GRE (GRE over IPsec), there are many DUPLICATION CONFIGURATION.
Now where is this duplication? in the figure notice the following:
1-The set peer 126.96.36.199 command under the crypto map has the same meaning as the tunnel destination 188.8.131.52 command under the tunnel interface.
2-The second duplication is for the ACL, previously using the old method crypto ACL, we need to identify the GRE packet and associate this ACL to crypto map using the match address 100, the ACL + match address 100 have the same meaning as the Tunnel source 184.108.40.206 and Tunnel destination 220.127.116.11 commands.
This is why Tunnel Protection or commonly known IPsec Profile comes for rescue as a new method and replaces the old method crypto map.
you create an IPsec Profile, you associate the transform-net then you apply the IPsec Profile on the Tunnel interface and BASTA. There are is no need of ACL or PEER. all these informations are already there in the tunnel interface.