Hi friends.
I have configured site-to-site VPN between two routers. When I apply crypto map to interface, data network working properly, but I can not connect branch switches via ssh.
I need your helps.

Head office router Configuration

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key blabla address 10.10.101.12
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set Transet esp-aes 256 esp-md5-hmac
!
crypto map branch_CRY 10 ipsec-isakmp
 set peer 10.10.101.12
 set transform-set Transet
 set pfs group2
 match address Branches
!
interface Loopback0
 no ip address
!
interface Port-channel1
 no ip address
 no ip redirects
 no ip proxy-arp
 hold-queue 150 in
!
interface Port-channel1.11
 description Link_To_Local
 encapsulation dot1Q 11
 ip address 172.16.1.31 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
interface Port-channel1.101
 description Link_To_Branches
 encapsulation dot1Q 101
 ip address 10.10.101.31 255.255.255.0
 no ip redirects
 no ip proxy-arp
 crypto map branch_CRY
 crypto ipsec df-bit clear
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 no ip redirects
 no ip proxy-arp
 duplex auto
 speed auto
 channel-group 1
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip proxy-arp
 duplex auto
 speed auto
 channel-group 1
 no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 192.168.134.0 255.255.255.0 10.10.101.12
!
ip access-list extended Branches
 permit ip 172.16.1.0 0.0.0.255 192.168.120.0 0.0.7.255
 permit ip 172.16.1.0 0.0.0.255 192.168.128.0 0.0.7.255
!
!
 line vty 0 4
 login local
 transport input ssh

Branch router configuration

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key blabla address 10.10.101.31
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set Transet esp-aes 256 esp-md5-hmac
!
!
crypto map branch_CRY 10 ipsec-isakmp
 set peer 10.10.101.31
 set transform-set Transet
 set pfs group2
 match address Branches
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/0.101
 encapsulation dot1Q 101
 ip address 10.10.101.12 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 crypto map branch_CRY
 crypto ipsec df-bit clear
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.134
 encapsulation dot1Q 134
 ip address 192.168.134.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
!
ip route 0.0.0.0 0.0.0.0 10.10.101.31
!
ip access-list extended Branches
 permit ip 192.168.134.0 0.0.0.255 172.16.1.0 0.0.0.255
 deny   ip any any log
!
line vty 0 4
 login local
 transport input ssh