Sure...sorry. ...I will put the relevant info of R1...R2 is the same but flip-flops the IP addressing.

Im pinging from R1 LAN which is not included on the tunnel....192.168.2.0

-----------------

R1:

object-group network NET-SITE1

192.168.1.0 255.255.255.0

object-group network NET-SITE2

10.10.10.0 255.255.255.0

ip access-list extended IPSEC-TRAFFIC

permit ip object-group NET-SITE1 object-group NET-SITE2

ip access-list extended UNWANTED-TRAFFIC

deny ip any any log

deny icmp any any log

inter gi0/1

...

ip access-group UNWANTED-TRAFFIC out

...

It would be good to see the tunnel config too. Are you sure that the traffic from 192.168.2.0 is not being tunnelled too?

yes Im sure....because is not in the ACL that allows the IPSEC-TRAFFIC....and also the tunnel is UP so I dont know what more info of the tunnel can be useful...rather than I use the " match address IPSEC-TRAFFIC"

Another question - these are two routers right? (as opposed to ASAs).

Is there a reason you are using object groups?

"Object group-based ACLs are not supported with IPsec." from http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/15_1/sec_data_plane_15_1_book/sec_object_group_acl.html#wp1132617

yes...we use them because we are continuosly adding more segments in both sites..for example...

object-group network NET-SITE1

192.168.1.0 255.255.255.0

192.168.15.0 255.255.255.0

192.168.34.0 255.255.255.0

192.168.110.0 255.255.255.0

object-group network NET-SITE2

10.10.10.0 255.255.255.0

10.10.44.0 255.255.255.0

10.10.120.0 255.255.255.0

10.10.1125.0 255.255.255.0

and also we have segments that we want to block...like 192.168.2.0/24

if  group-based ACL on IPSec are not suppoorted....can you please suggest me a better way to do the above configuration?...thanks