Define an ISAKMP numbered policy with encryption algorithm and authentication mode:

crypto isakmp policy 1
  encryption 3des
  authentication pre-share

Define a shared key to accept from the other endpoint of the tunnel:

crypto isakmp key <key> address <IP address of remote endpoint>

Define ISAKMP keepalive settings if applicable, for dead peer detection. Parameters are in seconds:

crypto isakmp keepalive <keepalive interval> <# retries on keepalive failure>

Define a named IPSec transform set, which is a Cisco abstraction for a certain combination of protocols to be applied to a particular conduit:

crypto ipsec transform-set <name> esp-3des esp-sha-hmac

Define named crypto maps, another Cisco abstraction that aggregates various elements of an IPSec Security Association (SA). This requires a stanza that defines the remote endpoint, the transform-set used, and the mandatory access list which determines the traffic to which IPSec transformation should be applied.

crypto map <name> <number, e.g. 1> ipsec-isakmp 
  set peer <IP of remote peer>
  set transform-set <name of transform-set above> 
  match address <access list number>

Create the access list entry referenced in step #5, and permit the GRE protocol to the remote endpoint using a host entry:

access-list <number> permit gre host <local IP> host <endpoint IP>

Create the actual GRE tunnel interface through which to transport traffic to the endpoint. The peer and the physical interface through to which the tunnel endpoint should be bound need to be specified:

interface Tunnel0
  ! If applicable, i.e. numbered interface.
  ip address <link subnet IP> <link subnet mask> 
  ! The rest:
  tunnel source <public interface>
  tunnel destination <remote endpoint IP>

Apply the crypto map to the physical interface on which tunnel-associated traffic will be going out:

interface <public interface>
  ...
  crypto map <map name>
  ...

Set a static route by interface to the remote network, if applicable:

ip route <remote net> <remote netmask> Tunnel0