Why is this 837 not forwarding VPN traffic?

1. The tunnel comes up
2. 837 can ping vpn-cli 192.168.3.x ip
3. vpn-cli can ping all 837 interfaces through tunnel
4. vpn-cli can not ping 192.168.100.254 on talktalk through tunnel
5. 837 can ping 192.168.100.254 on talktalk
6. vpn-cli 192.198.1.11 has to route to 10.10.10.10 to etablish the tunnel
7. all routing works when not connected to VPN
8. vpn-cli-ip persits in routing table of 837 after being disconnected only reload removes them
9. when 192.168.1.11 not connected to vpn, trace to vpn-cli-ip gets routed back to talktalk for some ips in 192.168.3.0/24 range and timeout, but not for some they timeout at 837

topology and config below

trace and 837 output attached 

topology
                                                                                                    837
                                                                                  Vpn-cli-pool_192.168.3.0/24
                                                                             loop0_10.10.10.10/32 (vpn-srv-tep)                                                                              talktalk
(vpn-cli-tep).11 ----192.168.100.0/24-----(eth0.2)Eth0-pri_192.168.2.253/32(eth0.1)-----192.168.2.0/24-----(LAn0.2)Lan0-pri_192.168.1.254/32(Lan0.1)
                                                                                 Eth0-sec_192.168.100.254/32                                                              Lan0-sec_192.168.2.254/32
                                                                                                                                                                                                        *****WLAN*****
                                                                                                                                                                                                        (vpn-cli-tep)2.11

config

ciscokid837#sh run
Building configuration...

Current configuration : 3871 bytes
!
! Last configuration change at 17:20:14 GMT Mon May 9 2022 by cisco
! NVRAM config last updated at 14:06:13 GMT Mon May 9 2022 by cisco
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ciscokid837
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 $1$gqsN$vkLjP4dwG2DJt2vgaINez0
enable password 7 02250D480809
!
username admin privilege 15 password 7 070C285F4D065929
username cisco password 7 030752180500
clock timezone GMT 1
aaa new-model
!
!
aaa authentication login abc1 local
aaa authorization network abc2 local
aaa session-id common
ip subnet-zero
ip tftp source-interface Ethernet0
ip domain name ciscokid.local
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp excluded-address 192.168.100.200 192.168.100.254
!
ip dhcp pool VPN-DMZ-2
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server 192.168.1.254
lease 3
!
!
ip cef
ip audit po max-events 100
ip ssh version 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key cisco123
pool VPNPOOL
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
set transform-set set1
reverse-route
!
!
crypto map map1 local-address Loopback0
crypto map map1 client authentication list abc1
crypto map map1 isakmp authorization list abc2
crypto map map1 client configuration address respond
crypto map map1 10 ipsec-isakmp dynamic map1
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
crypto map map1
!
interface Ethernet0
ip address 192.168.100.254 255.255.255.0 secondary
ip address 192.168.2.253 255.255.255.0
crypto map map1
hold-queue 100 out
!
interface Ethernet0.1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip local pool VPNPOOL 192.168.3.1 192.168.3.50
ip default-gateway 192.168.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.254
ip route 192.168.3.0 255.255.255.0 Ethernet0
ip http server
ip http secure-server
!
!
logging trap debugging
logging source-interface Ethernet0
logging 192.168.1.11
access-list 10 permit 192.168.1.11 log
access-list 10 permit 192.168.1.10 log
snmp-server community xxxxxxx RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps pppoe
snmp-server enable traps l2tun session
snmp-server enable traps rtr
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps atm subif
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 10 in
privilege level 15
password 7 094F471A1A0A
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
sntp logging
sntp server 51.89.151.183
!
end