Your ACL statements for NAT and interesting traffic need a little tweaking:
On site A you need to remove the ACLs matching the 10.68.61.0 and add it with 10.68.62.0 network as follows:
access-list inside_nat0_outbound extended permit ip 10.68.64.0 255.255.255.0 10.68.62.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.68.64.0 255.255.255.0 10.68.62.0 255.255.255.0
***Make sure you remove the statements for .61***
On site B just add the following entry:
access-list inside_nat0_outbound extended permit ip 10.68.62.0 255.255.255.0 10.68.64.0 255.255.255.0
Your configuration looks ok. Please check whether 'sysopt connection permit-vpn' command is there , using
'Show run all sysopt'
It will bypass interface ACL check for VPN traffic.
Also check the group policy applied on tunnel-group. In your case DfltGrpPolicy is applied. Check if vpn-tunnel-protocol include IPSec or not in that policy.
"Please rate helpful posts"