HI, i am trying to configure site to site VPN on a cisco 2911 router. 

I am unable to get the tunnel up, after some research i have narrowed down the cause to NAT or default route.

Can someone help me 

I have posted mt config below 

Router Config

Router#s

*Jun  3 20:05:05.474: %SYS-5-CONFIG_I: Configured from console by consoleh run

Building configuration...

Current configuration : 5499 bytes

!

! Last configuration change at 15:05:05 PCTime Tue Jun 3 2014

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

enable password XXXXX

!

no aaa new-model

clock timezone PCTime -5 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

ip cef

!

!

!

!

ip dhcp pool TEST

 network 192.168.x.x 255.255.255.0

 default-router 192.168.x.x

 dns-server 64.71.255.198 64.71.255.204 4.2.2.2

!

ip dhcp pool 10

 network 192.168.xxx.xx 255.255.255.0

 default-router 192.168.xxx.xx

 dns-server 64.71.255.198 64.71.255.204 4.2.2.2

!

ip dhcp pool 1

 network 10.100.xx.xx 255.255.255.0

 default-router 10.100.xx.xx

 dns-server 64.71.255.198 64.71.255.204 4.2.2.2

!

ip dhcp pool 2

 network 10.100.xxx.xx 255.255.255.0

 default-router 10.100.xxx.xx

 dns-server 64.71.255.198 64.71.255.204 8.8.8.8

!

!

!

no ip domain lookup

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1282495617

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1282495617

 revocation-check none

 rsakeypair TP-self-signed-1282495617

!

!

crypto pki certificate chain TP-self-signed-1282495617

 certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31323832 34393536 3137301E 170D3133 31303031 31393032

  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383234

  39353631 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C2E9 568B0B30 1BE35F55 BAF6F8C5 2525E808 23930CD9 81602A70 DAFAE355

  35C7D946 DA8CB688 C1844F02 7AE8864D 80EE3355 27A7B1DC FA5329A0 2B44E434

  478EFC47 7D92D8E7 46D6DA4B 5D477D90 E81AC837 3F62DE48 0D0937A0 286FE963

  6D2F5DC8 0A2B70EC 5A9F5E3F 47D2A08F EC0A10BC 713507AD F24E042E 94CFB70D

  47B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14735FD7 7A1F7322 CE6A9645 7C73633D D8ED8915 77301D06

  03551D0E 04160414 735FD77A 1F7322CE 6A96457C 73633DD8 ED891577 300D0609

  2A864886 F70D0101 05050003 81810095 433FC9D1 464A9129 6C02E492 19963992

  8A9C1549 A71F3E96 F89F4FE9 AAC3A748 1393CED4 8CEC5D99 71C5455F 5DE834D7

  CB4B08A2 276C9DA5 012FAEE2 7EB921E9 4B42DCEA FCD1D04E 2C2C6633 D20D1BDB

  133F7B0F ADEB7212 95C88B50 EB3D2854 C1BA8DD1 43B6BD3C C96C3E12 CF7025D1

  12E1ACE9 D76791A5 96E88A28 CDCF3B

        quit

license udi pid CISCO2911/K9 sn FGL173011EB

!

!

username admin privilege 15 password 0 XXXXXX

username rahul privilege 15 password 0 XXXXXXX

username xxxx privilege 15 secret 4 VWq946KBE6gESOmM2hYcakgfruaB4GfVtlGBulc8F7k

!

redundancy

!

!

!

!

!

!

class-map match-any CCP-Transactional-1

 match dscp af21

 match dscp af22

 match dscp af23

class-map match-any CCP-Voice-1

 match dscp ef

class-map match-any CCP-Routing-1

 match dscp cs6

class-map match-any CCP-Signaling-1

 match dscp cs3

 match dscp af31

class-map match-any CCP-Management-1

 match dscp cs2

!

policy-map sdm-qos-test-123

 class class-default

policy-map CCP-QoS-Policy-1

 class CCP-Voice-1

  priority percent 55

 class CCP-Signaling-1

  bandwidth percent 5

 class CCP-Routing-1

  bandwidth percent 5

 class CCP-Management-1

  bandwidth percent 5

 class CCP-Transactional-1

  bandwidth percent 5

 class class-default

  fair-queue

  random-detect

!

!

!

crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp key xxxxxxxxxxx address 198.161.xxx.xxx

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set OES esp-aes 256 esp-sha-hmac

 mode tunnel

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

 mode tunnel

!

!

!

crypto map tunnel 100 ipsec-isakmp

 set peer 198.161.xxx.xxx

 set transform-set OES

 match address 101

!

!

!

!

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 ip address 69.17.xxx.xxx 255.255.255.252

 ip nat outside

 ip virtual-reassembly in

 duplex full

 speed 100

 crypto map tunnel

!

interface GigabitEthernet0/1

 description WEEE.LOCAL

 ip address 10.100.xx.xx 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

 service-policy output CCP-QoS-Policy-1

!

interface GigabitEthernet0/2

 description voip

 ip address 10.100.xxx.xxx 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source list 2 interface GigabitEthernet0/0 overload

ip nat inside source list 10 interface GigabitEthernet0/0 overload

ip nat inside source list 99 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 69.17.xxx.xxx

!

access-list 1 permit 10.100.xx.xx 0.0.0.255

access-list 2 permit 10.100.xxx.xxx 0.0.0.255

access-list 10 permit 192.168.xxx.xx 0.0.0.255

access-list 99 permit 192.168.x.x 0.0.0.255

access-list 101 permit ip 10.100.xxx.xxx 0.0.0.255 10.252.xxx.xxx 0.0.0.255

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 password XXXX

 login

 transport input all

!

scheduler allocate 20000 1000

!

End

Router#sh crypto isakmp policy

Global IKE policy

Protection suite of priority 1

        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Router#sh crypto map

Crypto Map IPv4 "tunnel" 100 ipsec-isakmp

        Peer = 198.161.xxx.xxx

        Extended IP access list 101

            access-list 101 permit ip 10.100.xxx.xxx 0.0.0.255 10.252.xxx.xxx 0.0.0.255

        Current peer: 198.161.xxx.xxx

        Security association lifetime: 4608000 kilobytes/86400 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                OES:  { esp-aes 256 esp-sha-hmac  } ,

        }

        Interfaces using crypto map tunnel:

                GigabitEthernet0/0

Router#show crypto ipsec sa

interface: GigabitEthernet0/0

    Crypto map tag: tunnel, local addr 69.17.xxx.xxx

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.100.xxx.xxx/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.252.xxx.xxx/255.255.255.0/0/0)

   current_peer 198.161.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 69.17.xxx.xxx, remote crypto endpt.: 198.161.xxx.xxx

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas: