Gene

Your post talks about building an IPSec tunnel. But the configuration shows more GRE tunnel than IPSec tunnel. It is sometimes done to run IPSec with GRE but it is not always necessary. You have not indicated what if anything requires the GRE. And that makes it more difficult for us to answer your question.

The configuration of the GRE tunnel as shown seems ok - assuming that 10.10.10.254 is a local connected address on some interface of the router. But in that case you certainly do not need the static route

ip route 10.10.10.254 255.255.255.255 Fastethernet0 name tunnel1-to-tunnel2 (why would you need a static route for a locally connected address?).

Also the second static route (for 10.10.10.21) indicates that you go through the tunnel to get to it. But if the tunnel source is 10.10.10.254 (and that must be a locally connected interface) it is hard to see how some other address in that subnet is reached through the tunnel.

You show an access list but you do not show how the access list is to be used. If the access list is to be used by the crypto map to identify traffic for IPSec to protect then it should use the addresses of the tunnel end points. (permit gre host 10.10.10.254 host 10.10.11.254).

The one thing that the GRE tunnel needs to work is a route to the tunnel destination (10.10.11.254). It is not clear from what you posted whether the router has a route such as this.

HTH

Rick