I appreciate the response. 

Let me try to clarify, I am using the ipsec SA to communicate between two host machines; i.e from my host to the ISR.  It isn't a tunnel. So the encrypted traffic is terminated at the ISR. I am using transport mode, not tunnel mode. I can tell using the monitor capture that it gets the packets. Since they are encrypted, I can't tell anything other than that. 

I do not believe tcp window size is an issue yet, since I do not believe the TCP connection completes, I do not see a login prompt from the ISR when I try to login.  

Thanks

Let me see the config 

This is the basic configuration I am using:

crypto ikev2 proposal ucdprop
encryption aes-cbc-128
integrity sha1
group 14
!
crypto ikev2 policy ucdpolicy
match fvrf any
match address local 192.168.21.147
proposal ucdprop
!
crypto ipsec transform-set isrucdset esp-aes esp-sha-hmac
mode transport
!
crypto ikev2 keyring ipsec-b-ring1
peer ipsec-b-nat
address 192.168.21.73
identity address 192.168.21.73
pre-shared-key hello
exit
exit
!
!
crypto ikev2 profile ipsec-nat-prof
match fvrf any
match address local 192.168.21.147
match identity remote address 3.255.1.5 255.255.255.255
identity local address 192.168.21.147
authentication remote pre-share
authentication local pre-share
keyring local ipsec-b-ring1
exit
!
crypto map ipsec-b-nat 30 ipsec-isakmp
set peer 192.168.21.73
set transform-set isrucdset
set ikev2-profile ipsec-nat-prof
match address 121
exit
!
access-list 121 permit ip host 192.168.21.147 host 192.168.21.73

interface GigabitEthernet0/0/0
crypto map ipsec-b-nat

access-list 121 permit ip host 192.168.21.147 host 192.168.21.73

!

crypto map ipsec-b-nat 30 ipsec-isakmp
set peer 192.168.21.73

How ipsec work th traffic must hit the acl of s2s vpn then traffic encrypt.

Here you use local and remote host is same as set peer of vpn' so traffic not hit acl of vpn.

You need to use lo in one side and use server ip in other side then permit this lo+server ip in acl of vpn s2s.

Can you config lo ?

Note:- Lo need to route to other peer.

Thank you again for helping. 

I believe the ACL is okay. I believe my only problem is the tcp errors. 

The 192.168.21.73 is the IP address the ISR will receive for SA and for traffic. 

The SA establishes with this configuration and afterwards I can ping from the host to the ISR using the ipsec transport that is established. So both the IKE exchange and the data path works. My problem is that tcp does not work. This would point to an issue at that layer, not the IP layer. 

Thanks again

Ok' did you check crypto ipsec sa 

encrypt and decrypt counter when you ping are the counter increase?

Yes I saw encap/decaps increment. 

I couldn't figure out how to get the logging to display the tcp checksum errors with the ip addresses. I am reasonably sure that is my issue because the counters increment when I try ssh to the ISR but I couldn't see the logging. Not sure if that is possible. The error will occur 

Thanks again

Good that excellant'

The counter increase of ipsec sa but you failed to ssh 

Then there is issue in nat'

also you can show ip tcp <<- see if the tcp session is UP

The tcp connection never established. 

I tried to do a packet capture using monitor capture, but of course it was encrypted. So all I could really see is packets being sent/received but not content. 

Thanks 

esp-aes esp-sha-hmac <<- I dont try before but change the ESP to AH, the packet with AH not encrypt 

I have read that AH will not pass through NAT because the integrity check will fail. NAT will modify the IP header.