The nat on the 1861 indicate that the traffic from VLAN1 (192.168.8.0/24) will
get natted when going towards the BVI1 (10.1.1.0/24 network.)
ip access-list extended NAT-ALLOWED
deny ip 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 any
deny ip any 10.0.0.0 0.255.255.255
ACL's are processed from top to bottom. the permit statement on line 2 will take effect before the deny statement on line 3.
Also you dont have the crypto ipsec client ezvpn XXXXXXXXXX inside command on SVI VLAN100.