Quick question on router logic between VPN peers. if you have a site to site vpn and your ACL tells the router what to encrypt:
such as "access-list 101 permit ip host 10.0.0.1 host 10.0.0.2 log"
if you have networks on the far side of each of these peers, does the aformentioned ACL mean only the traffic specifically between the peers would be encrypted. and traffic destined for 10.0.5.1 - connected to 10.0.0.1 from 10.0.0.2 would not. This is hard to illustrate without pictures but my though proccess is that the sending router .2 would have to know about (routing table )where to send data to reach 5.x network and once the sending router found the exit interface had a Crypto map the ACL would take over and send the data to the encryption engine.
to answer your question. The encryption engine will only encrypt traffic that is matched via the crypto map. So if your crypto map says to match access list 101 then only the traffic from 10.0.0.1 will be encrypted and sent across the encrypted tunnel all other traffic will be sent un-encrypted. Also keep in mind that if you have NAT enabled on your interfaces, one thing that you will have to do is to prevent the traffic that is destined for the VPN tunnel from being NAT'ed. Otherwise you will see no traffic going across the tunnel.