Hello Cisco community! 

I got a 1921 with a security license applied, i'm trying to create a Remote Access VPN using Split Tunneling, I have configured an L2TP/IPsec connection on a 5506X but I have never configured one on a router. I've seen a few Cisco documents about creating L2TP or IPsec VPNs and I am successful in those configurations, being able to connect to the VPN and access local shares but I am unable to get to the internet. It appears the client is not getting a default gateway or possibly there is a routing or ACL issue, but i'm not having any luck determining what is a miss. When connected to the VPN using the config below I am able to ping a resource, reply IP shows as coming from my public IP. I am able to ping my public IP, reply IP shows as coming from my public IP. I am not able to ping google or navigate to the IP address of a public web server. Any help would be grateful.

The Cisco links i have used for configuring either IPsec or L2TP/IPsec

IPsec: https://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html
L2TP/IPsec: https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/3886-l2tp-3886.html#iosforl2tp

hostname R1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 #
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network default local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name DOMAIN.LOCAL
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FHK14397471
license boot module c1900 technology-package securityk9
!
!
username user1 password 7 #
!
redundancy
!
crypto ikev2 policy 10
! Policy Incomplete(should have atleast one complete proposal attached)
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 4.2.2.2
domain DOMAIN.LOCAL
pool VPN_IPPOOL
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
description VPN_GATEWAY
ip address 172.16.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
ip policy route-map VPN-CLIENT
duplex auto
speed auto
crypto map clientmap
!
interface GigabitEthernet0/1
description INSIDE
ip address 172.16.16.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip local pool VPN_IPPOOL 192.168.1.1 192.168.1.50
ip forward-protocol nd
!
ip http server
ip http secure-server
!

ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 ###.###.###.### 254
!
ip access-list extended NAT
permit ip any any
!
logging trap debugging
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
access-list 144 permit ip 172.16.16.0 0.0.0.255 any
!
!
!
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 172.16.17.1
!
!
!
!
!
control-plane
!
!
alias exec srb show run | b
alias exec sib show ip int brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end