Hi there,

I see you have two isakmp client profile, which one you are using?

"crypto isakmp client configuration group MPE"
"crypto isakmp client configuration group PALL"

Can you please remove these two lines on ACL 100.

no access-list 100 permit ip 192.168.125.0 0.0.0.255 any
no access-list 100 permit ip 192.168.40.0 0.0.0.255 any

And add this line instead.

access-list 100 permit ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255 

Thanks

Sorry for late reply, I was busy at work.

No Worries about the late reply. I really appreciate you taking the time to help me.

Anyway I removed the lines you suggested and add the the other one, but still no  luck. Here is the running config:

Current configuration : 11735 bytes
!
! Last configuration change at 16:53:11 UTC Wed Mar 18 2015 by ****
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1151531093
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1151531093
 revocation-check none
 rsakeypair TP-self-signed-1151531093
!
!
crypto pki certificate chain TP-self-signed-1151531093
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313531 35333130 3933301E 170D3134 31303237 31323533
  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353135
  33313039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 37697253 98CD84A7 A7EF2520
  0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
  FBC048F3 02391432 063EBBC5 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
  547469A2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D 364639B4 A3843F12
  0B090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D06
  03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300D0609
  2A864886 F70D0101 05050003 81810010 2D33C733 D97B1387 2E88E625 B0640CDE
  F6EC596B CF071E50 D225E97A ED34EECD 9545582F 8A704365 94F8E831 E065987E
  6011CBA1 E8133A32 6935A2C0 467770A3 0EACF953 0720E0CD 061938C6 F8B8C04F
  E2764497 830B7EF8 5E0D9CCC 0191EBD4 DCBDADBA 2D25F70A C69E543B 139B8319
  155C7F8C E6600C4E 0BD24BD8 84937A
        quit
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.4.1 192.168.5.49
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool Internet
 import all
 network 192.168.4.0 255.255.254.0
 dns-server 64.59.135.133 64.59.128.120
 default-router 192.168.5.254
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX18438503
!
!
username **** privilege 15 secret 5 $1$45So$aONTP0VVI.NT5rpQeEtg0/
username **** secret 5 $1$qaKU$2H0QSW1jHo8XYuEy3FPbU0
username **** secret 5 $1$SHF9$pXvR3gVTCe4w4G7c2FS9P1
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ****** address 208.98.212.xx
!
crypto isakmp client configuration group MPE
 key *******
 pool VPN_IP_POOL
 acl 100
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
!
crypto isakmp client configuration group PALL
 key *****
 pool VPN_IP_POOL_PALL
 acl 101
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group MPE
   client authentication list default
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
   match identity group PALL
   client authentication list default
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA1
 set isakmp-profile ciscocp-ike-profile-2
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to208.98.212.xx
 set peer 208.98.212.xx
 set transform-set ESP-3DES-SHA2
 match address 102
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.40.254 255.255.255.0
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface FastEthernet4
 ip address 208.98.213.xx 255.255.255.224
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.125.254 255.255.255.0
 ip access-group CONTROL_IN in
 ip access-group CONTROL_OUT out
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 192.168.5.254 255.255.254.0
 ip access-group INTERNET_IN in
 ip access-group INTERNET_OUT out
 ip nat inside
 ip virtual-reassembly in
!
ip local pool VPN_IP_POOL_PALL 192.168.40.151 192.168.40.152
ip local pool VPN_IP_POOL 192.168.40.100 192.168.40.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.125.2 25000 interface FastEthernet4 25000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 208.98.236.62 permanent
!
ip access-list extended CONTROL_IN
 remark Controll Access
 remark CCP_ACL Category=1
 permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
 remark VPN Access
 permit ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
 permit tcp host 192.168.125.2 eq 25000 any
 remark Email for WIN911
 permit tcp host 192.168.125.2 any eq smtp
 remark DNS Traffic
 permit udp host 192.168.125.2 host 64.59.135.133 eq domain
 permit udp host 192.168.125.2 host 64.59.128.120 eq domain
ip access-list extended CONTROL_OUT
 remark Control Access
 remark CCP_ACL Category=1
 permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
 remark VPN Access
 permit ip 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
 permit tcp any host 192.168.125.2 eq 25000
 remark Email for WIN911
 permit tcp any eq smtp host 192.168.125.2
 remark DNS Replies
 permit udp any eq domain host 192.168.125.2
ip access-list extended INTERNET_IN
 remark VNC access across VLAN
 remark CCP_ACL Category=1
 permit tcp any eq 25000 host 192.168.125.2
 remark Allow all other traffic
 permit ip any any
ip access-list extended INTERNET_OUT
 remark Complete access for internet outgoing
 remark CCP_ACL Category=1
 permit ip any any
ip access-list extended WAN_IN
 remark MPE Lethbridge Office
 remark CCP_ACL Category=1
 permit ip host 207.229.62.xx any
 permit tcp any eq smtp any established
 permit udp host 64.59.135.133 eq domain any
 permit udp host 64.59.128.120 eq domain any
 permit icmp any any unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any time-exceeded
!
ip sla auto discovery
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 199
!
route-map SDM_RMAP_2 permit 1
 match ip address 110
!
access-list 100 permit ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 101 remark VPN Traffic for PALL
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 remark CCP_ACL Category=2
access-list 110 remark IPSec Rule
access-list 110 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 permit ip host 192.168.125.2 any
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 160 remark CCP_ACL Category=1
access-list 160 permit tcp any any
access-list 160 permit udp any any
access-list 160 permit icmp any any
access-list 160 permit ip any any
access-list 199 remark CCP_ACL Category=16
access-list 199 remark IPSec Rule
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 permit ip any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password ****
 transport input telnet ssh
line vty 5 15
 access-class 160 in
 password ****
 transport input all
 transport output all
!
scheduler allocate 20000 1000
!
end

and to answer your question about the 2 isakmp profiles, I am using the MPE one but the PALL one dosen't work either. The reason for two profiles is one is for administrators and the other is for standard users. 

Hi there,

Can you please remove this four ACL assigned to inside interfaces.  
You don't need ACL assigned to trusted interfaces but what you need is on untrusted interface and it is coming down.

interface Vlan1
 no ip access-group CONTROL_IN in
 no ip access-group CONTROL_OUT out

interface Vlan2
 no ip access-group INTERNET_IN in
 no ip access-group INTERNET_OUT out

No ip access-list extended CONTROL_IN
no ip access-list extended CONTROL_OUT

no ip access-list extended INTERNET_OUT
no ip access-list extended INTERNET_IN

I am not sure, why you need double policy-nats, so please remove one of them.

no ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
 

You don't need these configuration pieces and so please remove them as I see you already have two Isakmp client-profile are in use "PALL" and "MPE" and these all you need for remote-access vpn-client purpose.  So please remove these two lines below.

no crypto isakmp profile ciscocp-ike-profile-1
no crypto isakmp profile ciscocp-ike-profile-2

- - - - - - - - - - - - - - - - - - - - - - - - - 

Now please apply these lines.

access-list 111 permit tcp any host 208.98.213.xx eq 25000 

access-list 199 deny ip 192.168.125.0 255.255.255.0 192.168.40.0 0.0.0.255
access-list 199 deny ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 199 deny ip 192.168.5.0 0.0.1.255 192.168.40.0 0.0.0.255

interface Vlan2
 ip tcp adjust-mss 1452

interface Loopback0
 shutdown

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

!
crypto dynamic-map DYNA-CRYPTO 1
 set transform-set ESP-AES-128-SHA

crypto map SDM_CMAP_1 2 ipsec-isakmp dynamic DYNA-CRYPTO

ip inspect name FW tcp
ip inspect name FW udp

interface FastEthernet4
 ip access-group 111 in
 ip inspect FW in
 ip inspect FW out

Let me know, how these are coming along.

thanks

I added all but the last two lines

 ip inspect FW in
 ip inspect FW out

Because once I added the line 

ip access-group 111 in

As soon as I added that line I lost telnet connection, and could no longer even ping the router's external IP address or connect to the VPN. It may be a few days before I can travel out to the site and reboot to revert back to the startup config. 

There is to enable security on the public ip address facing the Internet.

Below permit line enable you access it via ssh.

access-list 111 permit tcp any host 208.98.213.xx eq 22

These below five lines, enable firewall function on your router, did you apply ? and you don't need acl on inside interfaces.

- - - - - - - - - - - - - - - - - - - - 

ip inspect name FW tcp
ip inspect name FW udp

interface FastEthernet4
 ip access-group 111 in
 ip inspect FW in
 ip inspect FW out

- - - - - - - - - - - - - - - - - - - - 

I've added the commands, but now I can't even connect via VPN. I can still Telent into the router.

Here is the running config:

Current configuration : 11380 bytes
!
! Last configuration change at 22:35:18 UTC Wed Mar 25 2015 by ****
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1151531093
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1151531093
 revocation-check none
 rsakeypair TP-self-signed-1151531093
!
!
crypto pki certificate chain TP-self-signed-1151531093
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313531 35333130 3933301E 170D3134 31303237 31323533
  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353135
  33313039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 37697253 98CD84A7 A7EF2520
  0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
  FBC048F3 02391432 063EBBC5 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
  547469A2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D 364639B4 A3843F12
  0B090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D06
  03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300D0609
  2A864886 F70D0101 05050003 81810010 2D33C733 D97B1387 2E88E625 B0640CDE
  F6EC596B CF071E50 D225E97A ED34EECD 9545582F 8A704365 94F8E831 E065987E
  6011CBA1 E8133A32 6935A2C0 467770A3 0EACF953 0720E0CD 061938C6 F8B8C04F
  E2764497 830B7EF8 5E0D9CCC 0191EBD4 DCBDADBA 2D25F70A C69E543B 139B8319
  155C7F8C E6600C4E 0BD24BD8 84937A
        quit
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.4.1 192.168.5.49
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool Internet
 import all
 network 192.168.4.0 255.255.254.0
 dns-server 64.59.135.133 64.59.128.120
 default-router 192.168.5.254
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect name FW tcp
ip inspect name FW udp
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX18438503
!
!
username **** privilege 15 secret 5 $1$45So$aONTP0VVI.NT5rpQeEtg0/
username **** secret 5 $1$qaKU$2H0QSW1jHo8XYuEy3FPbU0
username **** secret 5 $1$SHF9$pXvR3gVTCe4w4G7c2FS9P1
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ***** address 208.98.212.xx
!
crypto isakmp client configuration group MPE
 key ****
 pool VPN_IP_POOL
 acl 100
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
!
crypto isakmp client configuration group PALL
 key ****
 pool VPN_IP_POOL_PALL
 acl 101
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the  Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group MPE
   client authentication list default
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
   match identity group PALL
   client authentication list default
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA1
 set isakmp-profile ciscocp-ike-profile-2
!
!
!
crypto dynamic-map DYNA-CRYPTO 1
 set transform-set ESP-AES-128-SHA
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to208.98.212.xx
 set peer 208.98.212.xx
 set transform-set ESP-3DES-SHA2
 match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp dynamic DYNA-CRYPTO
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.40.254 255.255.255.0
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface FastEthernet4
 ip address 208.98.236.51 255.255.255.224
 ip access-group 111 in
 ip nat outside
 ip inspect FW in
 ip inspect FW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.125.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 192.168.5.254 255.255.254.0
 ip access-group INTERNET_OUT out
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip local pool VPN_IP_POOL_PALL 192.168.40.151 192.168.40.152
ip local pool VPN_IP_POOL 192.168.40.100 192.168.40.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.125.2 25000 interface FastEthernet4 25000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 208.98.236.62 permanent
!
ip access-list extended WAN_IN
 remark MPE Lethbridge Office
 remark CCP_ACL Category=1
 permit ip host 207.229.31.xx any
 permit tcp any eq smtp any established
 permit udp host 64.59.135.133 eq domain any
 permit udp host 64.59.128.120 eq domain any
 permit icmp any any unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any time-exceeded
!
ip sla auto discovery
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 199
!
route-map SDM_RMAP_2 permit 1
 match ip address 110
!
access-list 100 remark VPN Traffic
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark VPN Traffic for PALL
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 remark CCP_ACL Category=2
access-list 110 remark IPSec Rule
access-list 110 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 permit ip host 192.168.125.2 any
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 111 permit icmp any host 208.98.213.xx
access-list 111 permit tcp any host 208.98.213.xx eq 25000
access-list 111 permit tcp any host 208.98.213.xx eq 22
access-list 111 permit tcp any host 208.98.213.xx eq telnet
access-list 160 remark CCP_ACL Category=1
access-list 160 permit tcp any any
access-list 160 permit udp any any
access-list 160 permit icmp any any
access-list 160 permit ip any any
access-list 199 remark CCP_ACL Category=16
access-list 199 remark IPSec Rule
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 permit ip any any
access-list 199 deny   ip 0.0.0.0 255.255.255.0 192.168.40.0 0.0.0.255
access-list 199 deny   ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny   ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.25
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password ****
 transport input telnet ssh
line vty 5 15
 access-class 160 in
 password ****
 transport input all
 transport output all
!
scheduler allocate 20000 1000
!
end

Please make ACL 199 and 110 this order, the permit line must be at the end, after all tunnel bound traffic are excluded for nat exemption.

access-list 199 deny ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny ip 192.168.5.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 199 deny ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 199 deny ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 199 permit ip 192.168.5.0 0.0.0.255 any
access-list 199 permit ip 192.168.125.0 0.0.0.255 any

access-list 110 deny ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 110 deny ip 192.168.5.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 110 deny ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 deny ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 110 deny ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 permit ip 192.168.125.0 0.0.0.255 any

Thanks

I added the lines but am still unable to log into the VPN via the VPN client.

Below is the running config:

Building configuration...

Current configuration : 11522 bytes
!
! Last configuration change at 14:09:46 UTC Thu Mar 26 2015 by ****
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1151531093
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1151531093
 revocation-check none
 rsakeypair TP-self-signed-1151531093
!
!
crypto pki certificate chain TP-self-signed-1151531093
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313531 35333130 3933301E 170D3134 31303237 31323533
  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353135
  33313039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 37697253 98CD84A7 A7EF2520
  0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
  FBC048F3 02391432 063EBBC5 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
  547469A2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D 364639B4 A3843F12
  0B090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D06
  03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300D0609
  2A864886 F70D0101 05050003 81810010 2D33C733 D97B1387 2E88E625 B0640CDE
  F6EC596B CF071E50 D225E97A ED34EECD 9545582F 8A704365 94F8E831 E065987E
  6011CBA1 E8133A32 6935A2C0 467770A3 0EACF953 0720E0CD 061938C6 F8B8C04F
  E2764497 830B7EF8 5E0D9CCC 0191EBD4 DCBDADBA 2D25F70A C69E543B 139B8319
  155C7F8C E6600C4E 0BD24BD8 84937A
        quit
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.4.1 192.168.5.49
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool Internet
 import all
 network 192.168.4.0 255.255.254.0
 dns-server 64.59.135.133 64.59.128.120
 default-router 192.168.5.254
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect name FW tcp
ip inspect name FW udp
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX18438503
!
!
username **** privilege 15 secret 5 $1$45So$aONTP0VVI.NT5rpQeEtg0/
username **** secret 5 $1$qaKU$2H0QSW1jHo8XYuEy3FPbU0
username **** secret 5 $1$SHF9$pXvR3gVTCe4w4G7c2FS9P1
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key **** address 208.98.212.xx
!
crypto isakmp client configuration group MPE
 key ****
 pool VPN_IP_POOL
 acl 100
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
!
crypto isakmp client configuration group PALL
 key ****
 pool VPN_IP_POOL_PALL
 acl 101
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group MPE
   client authentication list default
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
   match identity group PALL
   client authentication list default
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA1
 set isakmp-profile ciscocp-ike-profile-2
!
!
!
crypto dynamic-map DYNA-CRYPTO 1
 set transform-set ESP-AES-128-SHA
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to208.98.212.xx
 set peer 208.98.212.xx
 set transform-set ESP-3DES-SHA2
 match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp dynamic DYNA-CRYPTO
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.40.254 255.255.255.0
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface FastEthernet4
 ip address 208.98.213.xx 255.255.255.224
 ip access-group 111 in
 ip nat outside
 ip inspect FW in
 ip inspect FW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.125.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 192.168.5.254 255.255.254.0
 ip access-group INTERNET_OUT out
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip local pool VPN_IP_POOL_PALL 192.168.40.151 192.168.40.152
ip local pool VPN_IP_POOL 192.168.40.100 192.168.40.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.125.2 25000 interface FastEthernet4 25000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 208.98.236.62 permanent
!
ip access-list extended WAN_IN
 remark CCP_ACL Category=1
 permit ip host 207.229.22.xx any
 permit tcp any eq smtp any established
 permit udp host 64.59.135.133 eq domain any
 permit udp host 64.59.128.120 eq domain any
 permit icmp any any unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any time-exceeded
!
ip sla auto discovery
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 199
!
route-map SDM_RMAP_2 permit 1
 match ip address 110
!
access-list 100 remark VPN Traffic
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark VPN Traffic for PALL
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 deny   ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 110 deny   ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 110 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 deny   ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 110 deny   ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 permit ip 192.168.125.0 0.0.0.255 any
access-list 111 permit icmp any host 208.98.213.xx
access-list 111 permit tcp any host 208.98.213.xx eq 25000
access-list 111 permit tcp any host 208.98.213.xx eq 22
access-list 111 permit tcp any host 208.98.213.xx eq telnet
access-list 160 remark CCP_ACL Category=1
access-list 160 permit tcp any any
access-list 160 permit udp any any
access-list 160 permit icmp any any
access-list 160 permit ip any any
access-list 199 deny   ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 199 deny   ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 199 deny   ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 199 permit ip 192.168.5.0 0.0.0.255 any
access-list 199 permit ip 192.168.125.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password ****
 transport input telnet ssh
line vty 5 15
 access-class 160 in
 password ****
 transport input all
 transport output all
!
scheduler allocate 20000 1000
!
end

Remove this lines.

no crypto isakmp profile ciscocp-ike-profile-1
no crypto isakmp profile ciscocp-ike-profile-2

thanks

when I type in no crypto isakmp profile ciscocp-ike-profile-1

I get the following error(?)

Profile is applied to Virtual-Access1-head-0 (head) and possibly other crypto maps

and when I type in no crypto isakmp profile ciscocp-ike-profile-2 I get

Profile is applied to Virtual-Template2-head-0 (head) and possibly other crypto maps

So i don't think it is removing them

interface Virtual-Template1 type tunnel
 no tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
 no tunnel protection ipsec profile CiscoCP_Profile2
!

no crypto isakmp profile ciscocp-ike-profile-1
no crypto isakmp profile ciscocp-ike-profile-2

I have stated before that you don't need tunnel interface for site to site tunnel.

interface Virtual-Template1 type tunnel
 no tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
 no tunnel protection ipsec profile CiscoCP_Profile2
!

no interface Virtual-Template1 type tunnel

no interface Virtual-Template2 type tunnel

no crypto isakmp profile ciscocp-ike-profile-1
no crypto isakmp profile ciscocp-ike-profile-2

This is all you need.

I input those commands and I loose VPN access. The Site to Site VPN still gives the same error. Here is the running config:

Current configuration : 11507 bytes
!
! Last configuration change at 22:00:38 UTC Tue Mar 31 2015 by ****
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1151531093
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1151531093
 revocation-check none
 rsakeypair TP-self-signed-1151531093
!
!
crypto pki certificate chain TP-self-signed-1151531093
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313531 35333130 3933301E 170D3134 31303237 31323533
  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353135
  33313039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 37697253 98CD84A7 A7EF2520
  0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
  FBC048F3 02391432 063EBBC5 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
  547469A2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D 364639B4 A3843F12
  0B090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D06
  03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300D0609
  2A864886 F70D0101 05050003 81810010 2D33C733 D97B1387 2E88E625 B0640CDE
  F6EC596B CF071E50 D225E97A ED34EECD 9545582F 8A704365 94F8E831 E065987E
  6011CBA1 E8133A32 6935A2C0 467770A3 0EACF953 0720E0CD 061938C6 F8B8C04F
  E2764497 830B7EF8 5E0D9CCC 0191EBD4 DCBDADBA 2D25F70A C69E543B 139B8319
  155C7F8C E6600C4E 0BD24BD8 84937A
        quit
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.4.1 192.168.5.49
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool Internet
 import all
 network 192.168.4.0 255.255.254.0
 dns-server 64.59.135.133 64.59.128.120
 default-router 192.168.5.254
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect name FW tcp
ip inspect name FW udp
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX18438503
!
!
username **** privilege 15 secret 5 $1$45So$aONTP0VVI.NT5rpQeEtg0/
username **** secret 5 $1$qaKU$2H0QSW1jHo8XYuEy3FPbU0
username **** secret 5 $1$SHF9$pXvR3gVTCe4w4G7c2FS9P1
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key **** address 208.98.212.xx
!
crypto isakmp client configuration group MPE
 key ****
 pool VPN_IP_POOL
 acl 100
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
!
crypto isakmp client configuration group PALL
 key ****
 pool VPN_IP_POOL_PALL
 acl 101
 max-users 10
 netmask 255.255.255.0
 banner ^CYou have entered the  Domain

This area is restricted to Control Systems Administrators.

If you are here by mistake, please disconnect immediately.

You have full access to 192.168.125.0 / 0.0.0.255

Press continue to begin your session.^C
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA1
 set isakmp-profile ciscocp-ike-profile-2
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to208.98.212.xx
 set peer 208.98.212.xx
 set transform-set ESP-3DES-SHA2
 match address 102
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.40.254 255.255.255.0
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface FastEthernet4
 ip address 208.98.213.xx 255.255.255.224
 ip access-group 111 in
 ip nat outside
 ip inspect FW in
 ip inspect FW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.125.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 192.168.5.254 255.255.254.0
 ip access-group INTERNET_OUT out
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip local pool VPN_IP_POOL_PALL 192.168.40.151 192.168.40.152
ip local pool VPN_IP_POOL 192.168.40.100 192.168.40.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.125.2 25000 interface FastEthernet4 25000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 208.98.211.xx permanent
!
ip access-list extended WAN_IN
 remark CCP_ACL Category=1
 permit ip host 207.229.14.xx any
 permit tcp any eq smtp any established
 permit udp host 64.59.135.133 eq domain any
 permit udp host 64.59.128.120 eq domain any
 permit icmp any any unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any time-exceeded
!
ip sla auto discovery
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 199
!
route-map SDM_RMAP_2 permit 1
 match ip address 110
!
access-list 100 remark VPN Traffic
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark VPN Traffic for PALL
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 101 permit ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 deny   ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 110 deny   ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 110 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 deny   ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 110 deny   ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 permit ip 192.168.125.0 0.0.0.255 any
access-list 111 remark CCP_ACL Category=17
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.236.52 host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.98.236.52 host 208.98.213.xx eq isakmp
access-list 111 permit esp host 208.98.236.52 host 208.98.213.xx
access-list 111 permit ahp host 208.98.236.52 host 208.98.213.xx
access-list 111 permit icmp any host 208.98.213.xx
access-list 111 permit tcp any host 208.98.213.xx eq 25000
access-list 111 permit tcp any host 208.98.213.xx eq 22
access-list 111 permit tcp any host 208.98.213.xx eq telnet
access-list 111 permit tcp any host 208.98.213.xx eq www
access-list 160 remark CCP_ACL Category=1
access-list 160 permit tcp any any
access-list 160 permit udp any any
access-list 160 permit icmp any any
access-list 160 permit ip any any
access-list 199 deny   ip 192.168.2.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 deny   ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 199 deny   ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 199 deny   ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 199 permit ip 192.168.5.0 0.0.0.255 any
access-list 199 permit ip 192.168.125.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password ****
 transport input telnet ssh
line vty 5 15
 access-class 160 in
 password ****
 transport input all
 transport output all
!
scheduler allocate 20000 1000
!
end

Copy this lines.

crypto dynamic-map DYNA-CRYPTO 1
 set transform-set ESP-AES-128-SHA

crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond-
crypto map SDM_CMAP_1 2 ipsec-isakmp dynamic DYNA-CRYPTO

- - - - - - - - - - - - - - - - - - 

Remove these lines.

interface Virtual-Template1 type tunnel
 no tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
 no tunnel protection ipsec profile CiscoCP_Profile2
!

no interface Virtual-Template1 type tunnel

no interface Virtual-Template2 type tunnel

no crypto isakmp profile ciscocp-ike-profile-1
no crypto isakmp profile ciscocp-ike-profile-2