From what I can tell, your 10.1.x.x networks are not in the encryption domain for your IPSec tunnel. So, the packet will follow the default routes in place already (x.x.x.237 on the 1841 and x.x.x.33 on the 871) unencrypted. If your intent is to connect these privately addressed networks over the internet or WAN you can't control routing for, you'll need to add those networks to the encryption domain. After that, they'll follow the default route already in place, however they will be encrypted and passed to the other IPSEC tunnel endpoint. Same for the reverse path. For pings, you'll also need to add to the encryption domain ICMP from / to your public IP address and/or use an extended ping to source from your 10.1.x.x interface. After you get the encryption domain specified properly, you should be OK, providing your tunnel sets up right.