I have an 1811W router in China. There is a VPN tunnel to the US. This is working fine. Now I'd like to set up wireless to authenticate back to a radius server in the US (they don't have their own server.) I am using the same setup in the Netherlands except they have a radius server locally. The problem seems to be that the router can't forward the radius packets through the vpn tunnel. I also can't ping and traceroute to an address on the other side of the vpn tunnel goes out the internet connection instead of through the tunnel. I have searched these postings and contacted a local ccnp but haven't found resolution yet. Any thoughts? I'm going to go to local WPA but don't want to run that way long term.
One thing I've found to be tricky is what interface the radius traffic is originating on. ie: if its originating on the WAN interface, its traffic is definitely not going to be encrypted, yet if it originates on your ethernet interface (or loopback interface) it could do it with the ACL you have there...
Try using the "ip radius source-interface " to make sure the interface its originating the radius packet from is in the 192.168.11/24 network.
Something you might also want to look into is GRE tunnels. If you form a GRE tunnel from the source to the destination router and run all your traffic about that, your ACL for what goes through the IPSEC tunnel could simply specify the GRE tunnel and all traffic encapsulated in the tunnel would get encrypted as a result.
However, I'm betting if you specify the source interface for your radius packets that it will start working.
It is not quite clear from your post but I am assuming that 192.168.11.0 is the subnet on the LAN of the remote router. Depending on how you have configured the router the source address used for Radius is probably not the LAN IP address. By default the source address used by the router will be the address of the outbound interface. This is also true for ping and traceroute, that by default the source address will be the address of the outbound interface. To get to the other router the outbound interface has some other address (probably a public address).
The solution for Radius is pretty simple.
There is a command ip radius source-interface. If you use this then the router will use whatever interface address that you specify (in this case the LAN interface). The solution for ping and traceroute is either to use extended ping and extended traceroute where you can specify the source address as the LAN interface or to add to the access list some lines which will identify traffic sourced from the local outbound interface and destined to the remote network.