When configuring VPN on a Cisco router, I remember that in the past there was always the problem that the access list used on the input interface (where the encrypted traffic arrives) was scanned twice. Once with the encrypted traffic (so you had to allow the ESP protocol) and once with the decrypted traffic (so you had to allow your payload traffic as well).
AFAIK, this problem has been solved long ago. For several years I have been using 12.4 software (e.g. 12.4.(5a) and later) and have allowed only the ESP and ISAKMP traffic through the internet facing interface, and it works OK.
But yesterday, when installing a Cisco 1811 that we got bundled with a fiber connection, which is running C181X-ADVENTERPRISEK9-M), Version 12.4(6)T I had to explicity allow the GRE traffic that we are transporting over IPSEC or else the link would not work. The allow gre rule is showing that it matches traffic (counter increments).
What can be going on here? Is this problem still in version 12.4(6)T or is it maybe a "feature" that can be turned off with a config command and which has a default that varies between versions?