You NAT ACL should be,
access-list 100 deny ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.168.0 0.0.0.255 any
Your Crypto ACL should be,
access-list 101 permit ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.255.255
So this is how it works, when outbound packet hits the internal interface it will check the routing table and will pick the default gateway route via your Internet link.
We have NAT outside enabled on that interface... It will then check if the NAT ACL passes.. in your case only the traffic from local subnet to other places excluding the Main office range will be permitted for NAT.. so if your packet is destined to internet it will then get NAT/PAT'ed out.
If the packet is destined to the main office, it will NOT get NAT'ed and will proceed and will see the Crypto MAP configured on the outside interface... will check the Crypto ACL.. which is a pass.. this will then get encrypted and be sent through the IPSec tunnel.
It is important to make sure that you have the mirrored Crypto ACL configured on the Main office side.. otherwise you will run in to issues.
Hope this helps.. let me know if you need more information on this..
Please don't forget to rate helpful answers.. :)