I think the problem is at linematch address SERVER-CLISERVER-CLI don't match to anything in your config. Write a named access-list that match the IP source and/or destinationwhich should trigg to open the VPN connection.Take a look in the documentati...
Do a show vtp status on every switch and see if Configuration Revision is the same. If 3512 have a higher revision than 4500. It will not update its vlandatabase with vlan 60 and because of that 3512 will not pass vlan 60 out on the trunk to the 2900...