I used SDM 2.5 to configure a site to site VPN from my 2811 to a branch office rv802. It almost works!
2811 network is 192.168.10.0/24; rv082 network is 192.168.1.0/24
From the rv082 LAN, I can access anything behind the 2811, but traffic originating behind the 2811 fails. If I try to ping the rv802 inside address or a client behind it, I get "destination host unreachable" from an Internet router(I added a permit icmp rule to the appropriate ACL). IP protocols fail the way you expect when there's no route.
The 2811 only has the default route configured and no routing protocols are enabled.
Here's the mirror dump from the SDM:
The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.
crypto isakmp policy 1
crypto isakmp key XXXXXXXXXX address xx.xx.xx.xx
crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des
ip access-list extended SDM_4
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit icmp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
crypto map SDM_CMAP_3 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address yy.yy.yy.yy that connects to this router.
set transform-set ESP-3DES-SHA1
set peer xx.xx.xx.xx
match address SDM_4
Any idea what I might be missing?