Hi,
You need to configure VPN on the end device (i.e close to internet). To my understanding you have a following topology:-
----ASA----Router---[ Internet]---Router---ASA
If this is true, please refer the following sample configuration document link to configure VPN on Routers.
Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
In this configuration example,
--The access-list 101 on R2 is used to define the interesting traffic for VPN.
--The access-list 175 on R2 is used to exempt the VPN interesting traffic from NAT on router. They keyword "DENY" is used for said purpose.
Similarly its done on Router 3 as well.
Note: You need the access-list 175, if you are doing NAT on router else its not required.
HTH....
Regards
M
Mohit Paul
CCIE-Security 35496
P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries