I made the changes as you suggested but it did not resolve the problem. I see all the SAs up for each tunnel but it still isnt allowing me to ping or access the other site when i vpn into the first site.
Everything else is working as it was (makes me think that the groups or multiple address would work). I also checked the restricted resources and added each subnet individually instead of doing the 10.0.0.0/8 as before.
as for the vpn tunnel, do i need to creat three seperate ipsec tunnels (even though they would be identical)? I see three distinct SAs, one for each policy, and my understanding is that each policy creates an SA based on the source, destination, and tunnel used. so i am not sure how creating more ipsec tunnel configs would help since i already see multipe SAs.
on a side note I am able to ssh from one site to another without issue. Just not when I VPN in. So it seems that my problem is restricted to the 10.10.11.0/24 (dynamic vpn range for site 1) and 10.10.10.0/24 (dynamic vpn range for site 2).
Thanks