Yes I have the full config. did not want to post everything since it has sensitive info like ips and such. 

Main Tunnel Interface:

interface Loopback0
ip address 10.35.10.1 255.255.254.0

interface Loopback10
ip address 10.35.20.1 255.255.254.0

interface Loopback30
ip address 10.35.30.1 255.255.255.0

interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 100
ip nhrp redirect
tunnel source GigabitEthernet0/0/1
tunnel protection ipsec profile NHS-IPSEC

interface Virtual-Template10 type tunnel
ip unnumbered Loopback10
ip nhrp network-id 200
ip nhrp redirect
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile NHS-IPSEC-S2S

interface Virtual-Template30 type tunnel
ip unnumbered Loopback30
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Merakey_Legacy

Branch Tunnel Interface:

interface Loopback0

ip address 10.35.10.23 255.255.254.0

interface Tunnel1
ip unnumbered Loopback0
ip mtu 1418
ip nhrp network-id 100
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0/2
tunnel destination x.x.x.x
tunnel protection ipsec profile NHS-IPSEC

ip route 0.0.0.0 0.0.0.0 x.x.x.x(WAN IPS IP)

We do not have enough information to understand this environment and therefore it is difficult to give you good advice. I understand wanting to protect sensitive information, but if you do not give us enough information to work with then our efforts are pretty much guaranteed to not be good enough.

Am I correct in assuming that the main site has multiple tunnels?

Part of what you show us from the Branch looks like VTI and some looks like DMVPN. Can you help us understand this better?

Are you running a dynamic routing protocol between Main and Branch? If so what protocol? If not is it based on static routing?

That static default route you show for the branch will send Internet traffic directly to the ISP. What I would expect to see is the default static route pointing through the tunnel and then some static route for the tunnel destination address. Can you provide more information about the routing logic?

Sorry for the delay in response. had some other emergencies that came up. One thing I have to mention is that I have inherited this network and do not full know what was setup and why? This is the beginning of my 5th week with the company. 

Here are the full configs

Main site:

Current configuration : 13057 bytes
!
! Last configuration change at 07:46:38 EST Mon Mar 15 2021 by nhsadmin
! NVRAM config last updated at 07:47:26 EST Fri Mar 12 2021 by nhsadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Merakey-VPN-906
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 80000 informational
enable secret 5 $1$SU3Z$koLKReqfFDEommgUSG8kc1
!
aaa new-model
!
!
aaa authorization network LOCALIKEv2 local
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
!
!
!
!
!
!
!
!
!
!
!

ip domain name nhsonline.lcl
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
flow exporter VPN-EXPORTER-1
description exports VPN traffic to Solarwinds
destination 10.3.236.104
source GigabitEthernet0/0/0
transport udp 2055
export-protocol netflow-v5
!
!
flow monitor FlowMonitor1
exporter VPN-EXPORTER-1
record netflow ipv4 original-input
!
!
!
!
!
license udi pid ISR4331/K9 sn FDO212912KW
!
spanning-tree extend system-id
!
username nhsadmin privilege 15 secret 5 $1$xi0Q$dnjBA0FI9lYgxkxmQJMo41
username aosiol privilege 15 secret 5 $1$vU6o$aWYJSwMhRTKqrZirArO4A0
!
redundancy
mode none
!
crypto ikev2 authorization policy AUTHOR-POLICY
pool NHS-Pool
route set interface
!
!
!
crypto ikev2 keyring NHSKEYS
peer ANY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key local *******
pre-shared-key remote *******
!
!
!
crypto ikev2 profile default
match identity remote fqdn domain nhsonline.lcl
identity local fqdn NHS-DMZ-VPN01.nhsonline.lcl
authentication local pre-share
authentication remote pre-share
keyring local NHSKEYS
aaa authorization group psk list LOCALIKEv2 AUTHOR-POLICY
virtual-template 1
!
crypto ikev2 profile S2S
match identity remote fqdn domain s2snhsonline.lcl
identity local fqdn NHS-DMZ-VPN01.s2snhsonline.lcl
authentication local pre-share
authentication remote pre-share
keyring local NHSKEYS
aaa authorization group psk list LOCALIKEv2 AUTHOR-POLICY
virtual-template 10
!
crypto ikev2 profile ENS-MESH
match identity remote fqdn domain nhsonline.lcl
identity local fqdn NHS-DMZ-VPN01.nhsonline.lcl
authentication local pre-share
authentication remote pre-share
keyring local NHSKEYS
aaa authorization group psk list LOCALIKEv2 AUTHOR-POLICY
virtual-template 1
!
crypto ikev2 dpd 15 3 periodic
!
!
vlan internal allocation policy ascending
!
!
crypto keyring Merakey
pre-shared-key address 0.0.0.0 0.0.0.0 key nhsr0cks!one*
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile MERAKEY_LEGACY
keyring Merakey
match identity address 0.0.0.0
virtual-template 30
!
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set Merakey_Legacy_TSET esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile Merakey_Legacy
set transform-set Merakey_Legacy_TSET
set isakmp-profile MERAKEY_LEGACY
!
crypto ipsec profile NHS-IPSEC
set transform-set aes256-sha
set ikev2-profile ENS-MESH
!
crypto ipsec profile NHS-IPSEC-S2S
set transform-set aes256-sha
set ikev2-profile S2S
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.35.10.1 255.255.254.0
!
interface Loopback10
ip address 10.35.20.1 255.255.254.0
!
interface Loopback30
ip address 10.35.30.1 255.255.255.0
!
interface Tunnel10
no ip address
!
interface GigabitEthernet0/0/0
description UPLINK to CORE 1
ip address 10.25.10.2 255.255.255.252
ip flow monitor FlowMonitor1 input
ip flow monitor FlowMonitor1 output
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description UPLINK to 906 ASA
ip address 10.25.10.5 255.255.255.252
ip flow monitor FlowMonitor1 input
load-interval 30
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description Merakey_906-Core_1:ETH 1/46
ip address 10.25.10.10 255.255.255.252
ip flow monitor FlowMonitor1 input
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 100
ip nhrp redirect
tunnel source GigabitEthernet0/0/1
tunnel protection ipsec profile NHS-IPSEC
!
interface Virtual-Template10 type tunnel
ip unnumbered Loopback10
ip nhrp network-id 200
ip nhrp redirect
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile NHS-IPSEC-S2S
!
interface Virtual-Template30 type tunnel
ip unnumbered Loopback30
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Merakey_Legacy
!
interface Vlan1
no ip address
shutdown
!
!
router eigrp 100
network 10.25.10.0 0.0.0.255
network 10.35.10.0 0.0.1.255
network 10.35.20.0 0.0.1.255
redistribute static route-map NON-VPN-CONNECTED-STATICS
passive-interface default
no passive-interface Virtual-Template1
no passive-interface GigabitEthernet0/0/0
no passive-interface Virtual-Template10
no passive-interface GigabitEthernet0/0/2
eigrp router-id 10.35.10.1
!
ip local pool NHS-Pool 10.35.10.2 10.35.11.254
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 10.25.10.6
ip route 10.30.16.0 255.255.240.0 10.25.10.9 tag 2
ip route 10.30.32.0 255.255.240.0 10.25.10.9 tag 2
ip route 10.101.0.0 255.255.0.0 10.25.10.9 tag 2
ip route 50.241.179.221 255.255.255.255 10.25.10.9
ip route 67.225.220.179 255.255.255.255 10.25.10.9
ip route 172.31.210.0 255.255.255.0 10.25.10.9 tag 2
ip route 172.31.254.0 255.255.255.0 10.25.10.9 tag 2
ip ssh version 2
!
!
logging origin-id hostname
logging source-interface GigabitEthernet0/0/0
logging host 10.3.237.140
access-list 10 remark restrict access to VTY Lines to 906 Bethlehem Pike
access-list 10 permit 10.0.0.0 0.255.255.255 log
access-list 10 permit 172.31.0.0 0.0.255.255 log
access-list 10 permit 172.16.0.0 0.0.255.255 log
access-list 10 deny any log
!
route-map NON-VPN-CONNECTED-STATICS permit 10
match tag 2
!
route-map NON-VPN-CONNECTED-STATICS deny 20
!
snmp-server group V3Group v3 auth read V3Read write V3Write
snmp-server view V3Read iso included
snmp-server view V3Write iso included
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps pfr
snmp-server enable traps flowmon
snmp-server enable traps ds1
snmp-server enable traps entity-perf throughput-notif
snmp-server enable traps ds3
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps casa
snmp-server enable traps license
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dhcp
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps pimstdmib neighbor-loss invalid-register invalid-join-prune rp-mapping-change interface-election
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps ip local pool
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps pki
snmp-server enable traps trustsec-sxp conn-srcaddr-err msg-parse-err conn-config-err binding-err conn-up conn-down binding-expn-fail oper-nodeid-change binding-conflict
snmp-server enable traps ethernet evc status create delete
snmp-server enable traps ether-oam
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps entity-state
snmp-server enable traps entity-qfp mem-res-thresh throughput-notif
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps flash insertion removal
snmp-server enable traps srp
snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps cnpd
snmp-server enable traps bgp cbgp2
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps ipsla
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps c3g
snmp-server enable traps LTE
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps dot1x
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-rekey-pushed
snmp-server enable traps gdoi gm-incomplete-cfg
snmp-server enable traps gdoi ks-no-rsa-keys
snmp-server enable traps gdoi ks-new-registration
snmp-server enable traps gdoi ks-reg-complete
snmp-server enable traps gdoi ks-role-change
snmp-server enable traps gdoi ks-gm-deleted
snmp-server enable traps gdoi ks-peer-reachable
snmp-server enable traps gdoi ks-peer-unreachable
snmp-server enable traps firewall serverstatus
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps alarms informational
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps rf
snmp-server enable traps transceiver all
snmp-server host 10.3.236.104 version 3 auth V3User
!
!
!
!
control-plane
!
banner motd ^CC
****************************WARNING*********************************************
WARNING NOTICE: This is a private system for use by NHS Human Services
and its affiliates. The actual or attempted, unauthorized access, use or
modification of this system is strictly prohibited. Individuals undertaking
such unauthorized access, use or modification are subject to company
disciplinary proceedings and/or criminal and civil penalties under applicable
domestic and foreign laws. The use of this system may be monitored and recorded
for administrative and security reasons in accordance with local law.
If such monitoring and/or recording reveals possible evidence of
criminal activity, the results of such monitoring may be provided to law
enforcement officials. Continued use of this system after receipt of this
notice constitutes consent to such security monitoring and recording.
********************************************************************************

^C
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 10 in
transport input ssh
line vty 5 15
access-class 10 in
transport input ssh
!
ntp server 10.3.236.54 prefer source GigabitEthernet0/0/0
!
end

Branch Site:

Current configuration : 14296 bytes
!
! Last configuration change at 08:39:16 EDT Mon Mar 15 2021 by JOhn.Behmke
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Merakey_801-E.Park-Ave_1100r
!
boot-start-marker
boot-end-marker
!
!
logging buffered 400000 informational
enable secret 5 $1$YWOO$KtZoL8MseLt6bhzA9pT.x0
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization network LOCALIKEv2 local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 2 default stop-only group tacacs+
aaa accounting commands 3 default stop-only group tacacs+
aaa accounting commands 4 default stop-only group tacacs+
aaa accounting commands 5 default stop-only group tacacs+
aaa accounting commands 6 default stop-only group tacacs+
aaa accounting commands 7 default stop-only group tacacs+
aaa accounting commands 8 default stop-only group tacacs+
aaa accounting commands 9 default stop-only group tacacs+
aaa accounting commands 10 default stop-only group tacacs+
aaa accounting commands 11 default stop-only group tacacs+
aaa accounting commands 12 default stop-only group tacacs+
aaa accounting commands 13 default stop-only group tacacs+
aaa accounting commands 14 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring 1 Sun Mar 2:00 1 Sun Nov 2:00
!
ip domain name merakey.lcl
ip dhcp excluded-address 172.31.19.200 172.31.19.254
!
ip dhcp pool LAN_DHCP_Pool
network 172.31.19.0 255.255.255.0
default-router 172.31.19.254
domain-name nhsonline.lcl
netbios-name-server 10.3.236.239 10.3.236.232
dns-server 10.3.237.33 10.3.237.34
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
flow record Merakey
match interface input
match ipv4 source address
match ipv4 destination address
match ipv4 tos
match ipv4 protocol
match transport source-port
match transport destination-port
match flow sampler
collect interface output
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!
!
flow exporter Merakey-Orion
description Merakey Solarwinds netflow server(Orion)
destination 10.3.236.104
source Vlan1
transport udp 2055
!
!
flow monitor Merakey-Monitor
exporter Merakey-Orion
record Merakey
!
!
!
!
!
!
license udi pid C1111-4P sn FGL2342LF37
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
username nhsadmin privilege 15 secret 5 $1$jxqJ$vlvfCEzjPc6Lp.RdZ9/yW0
username solarwinds privilege 15 secret 5 $1$fgTx$wfKNPG6wW8PoVHvgd95XM/
!
redundancy
mode none
!
crypto ikev2 authorization policy AUTHOR-POLICY
route set interface
!
!
!
crypto ikev2 keyring NHSKEYS
peer ANY-PEER
address 0.0.0.0 0.0.0.0
pre-shared-key local *******
pre-shared-key remote *******
!
!
!
crypto ikev2 profile S2S
match identity remote fqdn domain s2snhsonline.lcl
identity local fqdn 801-Park.s2snhsonline.lcl
authentication remote pre-share
authentication local pre-share
keyring local NHSKEYS
aaa authorization group psk list LOCALIKEv2 AUTHOR-POLICY
!
crypto ikev2 dpd 15 3 periodic
crypto ikev2 client flexvpn NHS-Flex
peer 1 50.206.50.76
peer 2 50.232.165.195
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
crypto ipsec transform-set aes256-sha256 esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile MKY-IPSEC-S2S
set transform-set aes256-sha256
set ikev2-profile S2S
!
crypto ipsec profile NHS-IPSEC-S2S
set transform-set tset
set ikev2-profile S2S
!
!
!
!
!
!
!
!
!
!
interface Loopback10
ip address 10.35.20.228 255.255.254.0
!
interface Loopback20
ip address 10.35.120.228 255.255.254.0
!
interface Tunnel10
bandwidth 100000
ip unnumbered Loopback10
ip mtu 1420
ip tcp adjust-mss 1380
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 50.206.50.76
tunnel protection ipsec profile NHS-IPSEC-S2S
!
interface Tunnel20
bandwidth 100000
ip unnumbered Loopback20
ip mtu 1420
ip tcp adjust-mss 1380
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 50.232.165.195
tunnel protection ipsec profile MKY-IPSEC-S2S
!
interface GigabitEthernet0/0/0
description COMCAST INTERNET
ip flow monitor Merakey-Monitor input
ip address 50.241.179.221 255.255.255.252
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
description INSIDE LAN
ip flow monitor Merakey-Monitor input
ip address 172.31.19.254 255.255.255.0
ip nat inside
ip access-group DENY_VPN in
ip virtual-reassembly
!
!
router eigrp 100
distribute-list prefix ALLOWED_INC_EIGRP_ROUTES in
network 10.35.20.0 0.0.1.255
network 172.31.19.0 0.0.0.255
passive-interface default
no passive-interface Tunnel10
eigrp router-id 10.35.20.228
eigrp stub connected summary
!
!
router eigrp 200
distribute-list prefix ALLOWED_INC_EIGRP_ROUTES in
network 10.35.120.0 0.0.1.255
network 172.31.19.0 0.0.0.255
distance eigrp 175 175
passive-interface default
no passive-interface Tunnel20
eigrp router-id 10.35.120.228
eigrp stub connected summary
!
ip nat inside source list 102 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 50.241.179.222
ip tacacs source-interface Vlan1
ip ssh version 2
!
!
ip access-list extended DENY_VPN
deny udp any any eq isakmp
deny tcp any any eq 10000
permit ip any any
!
!
ip prefix-list ALLOWED_INC_EIGRP_ROUTES description Only RFC1918 networks
ip prefix-list ALLOWED_INC_EIGRP_ROUTES seq 1 permit 23.235.121.32/30 le 32
ip prefix-list ALLOWED_INC_EIGRP_ROUTES seq 2 permit 63.146.98.32/30 le 32
ip prefix-list ALLOWED_INC_EIGRP_ROUTES seq 5 permit 172.16.0.0/12 le 32
ip prefix-list ALLOWED_INC_EIGRP_ROUTES seq 10 permit 192.168.0.0/16 le 32
ip prefix-list ALLOWED_INC_EIGRP_ROUTES seq 15 permit 10.0.0.0/8 le 32
ip prefix-list ALLOWED_INC_EIGRP_ROUTES seq 20 deny 0.0.0.0/0 le 32
access-list 10 remark restrict access to VTY Lines to 906 Bethlehem Pike
access-list 10 permit 50.206.48.238 log
access-list 10 permit 173.167.77.221 log
access-list 10 permit 50.206.50.64 0.0.0.31 log
access-list 10 permit 10.0.0.0 0.255.255.255 log
access-list 10 permit 172.31.0.0 0.0.255.255 log
access-list 10 permit 172.16.0.0 0.0.255.255 log
access-list 10 remark restrict access to VTY Lines to 906 Bethlehem Pike
access-list 10 permit 50.232.165.192 0.0.0.31 log
access-list 10 permit 12.150.6.0 0.0.0.31 log
access-list 10 deny any log
access-list 102 deny ip 172.31.19.0 0.0.0.255 172.0.0.0 0.240.255.255
access-list 102 deny ip 172.31.19.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 172.31.19.0 0.0.0.255 any
!
!
snmp-server group V3Group v3 auth read V3Read write V3Write
snmp-server view V3Read iso included
snmp-server view V3Write iso included
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps pfr
snmp-server enable traps flowmon
snmp-server enable traps ds1
snmp-server enable traps entity-perf throughput-notif
snmp-server enable traps ds3
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps casa
snmp-server enable traps license
snmp-server enable traps smart-license
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dhcp
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps pimstdmib neighbor-loss invalid-register invalid-join-prune rp-mapping-change interface-election
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps ip local pool
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps pki
snmp-server enable traps ethernet evc status create delete
snmp-server enable traps ether-oam
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps entity-state
snmp-server enable traps entity-qfp mem-res-thresh throughput-notif
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps entity-sensor
snmp-server enable traps flash insertion removal lowspace
snmp-server enable traps srp
snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps cnpd
snmp-server enable traps bfd
snmp-server enable traps bgp cbgp2
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps ipsla
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps c3g
snmp-server enable traps LTE
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-rekey-pushed
snmp-server enable traps gdoi gm-incomplete-cfg
snmp-server enable traps gdoi ks-no-rsa-keys
snmp-server enable traps gdoi ks-new-registration
snmp-server enable traps gdoi ks-reg-complete
snmp-server enable traps gdoi ks-role-change
snmp-server enable traps gdoi ks-gm-deleted
snmp-server enable traps gdoi ks-peer-reachable
snmp-server enable traps gdoi ks-peer-unreachable
snmp-server enable traps firewall serverstatus
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps alarms informational
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps rf
snmp-server enable traps transceiver all
snmp-server host 10.3.236.104 version 3 auth V3User
!
tacacs server NHSCP
address ipv4 10.3.236.134
key 7 0477330902755E64
!
!
!
control-plane
!
banner motd ^C
****************************WARNING*********************************************
WARNING NOTICE: This is a private system for use by Merakey
and its affiliates. The actual or attempted, unauthorized access, use or
modification of this system is strictly prohibited. Individuals undertaking
such unauthorized access, use or modification are subject to company
disciplinary proceedings and/or criminal and civil penalties under applicable
domestic and foreign laws. The use of this system may be monitored and recorded
for administrative and security reasons in accordance with local law.
If such monitoring and/or recording reveals possible evidence of
criminal activity, the results of such monitoring may be provided to law
enforcement officials. Continued use of this system after receipt of this
notice constitutes consent to such security monitoring and recording.
********************************************************************************

^C
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class 10 in
transport input ssh
line vty 5 15
access-class 10 in
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Hello,

if you want all Branch router traffic to go to the Main site (over the VPN), remove the current static route and send everything over the tunnel:

--> no ip route 0.0.0.0 0.0.0.0 50.241.179.222

--> ip route 0.0.0.0 0.0.0.0 Tunnel10 (or Tunnel20, whatever tunnel is connected to the main site).

Changing the static default route is one possibility. Given that they are running EIGRP over the tunnel it would also be an alternative to have EIGRP advertise a default route over the tunnel.

I tried routing all traffic with the default route and it took the site down. I was thinking that setting a static route just for the external ip of our main location and then do the default route of the tunnel. But I would also need to set it up for both tunnels with weights. Does that sound correct?

I am not clear what you mean when you say that it took the site down when you implemented the default route. Was the site not able to communicate at all? Did the site lose the ability to access the Internet? One thing to bear in mind as you try to have all of their traffic come over the encrypted vpn tunnel is that now their traffic to Internet will arrive at your site with the source address being their private IP subnet. To access the Internet your main site will have to update their configuration of address translation to translate the addresses for the remote site.

I am not clear about the purpose and function of the second tunnel. But it seems to me that one advantage of having EIGRP advertise a default route is that EIGRP is already set up to use both tunnels and to apply appropriate weights to have the traffic flow the way that you want it to.

The tunnel went down and the site had no internet connection. 

Thanks for the clarification. That is pretty severe. Here is the issue. The existing default route ip route 0.0.0.0 0.0.0.0 50.241.179.222 provides a path toward the tunnel destination of 50.206.50.76 for tunnel 10 and 50.232.165.195 for tunnel 20. But when you remove the static default route and configure a new static default route then the tunnel destination is reachable by going through the tunnel. Cisco calls this recursive routing and it causes the tunnel to fail. The solution would be to configure static routes for both tunnel destination addresses then the default route through the tunnel should work.

ip route 50.206.50.76 255.255.255.255 50.241.179.222

ip route 50.232.165.195 255.255.255.255 50.241.179.222

ok so what I was thinking is the same. 

"I tried routing all traffic with the default route and it took the site down. I was thinking that setting a static route just for the external ip of our main location and then do the default route of the tunnel. But I would also need to set it up for both tunnels with weights. Does that sound correct?"

And using eigrp will work later in the process. We have over 90 locations on this vpn and we want to test this on a few before sending all of them. Dont want to kill our internet connection!

I am still not clear about the function of both tunnels but setting up static routes for tunnel destination and default route pointed at tunnel with weights for each tunnel would seem to make good sense.

Both Tunnels are for connections to both datacenters. The plan for later is to have all traffic from all locations go to either datacenter so if the internet at one goes out the users can still get internet and get to the internal network.