Site-to-Site VPN not connecting with Cisco 877

I can't seem to get the VPN connection going with my 877.  I have an old IOS (12.4) but it looks to me like all the pieces are there.

Some relevant config info:

local LAN: 10.10.26.0/24
virtual LAN: 10.10.27.0/24
local G/W:   A.B.C.54
remote G/W:  D.E.F.155
PSK:  00000000000000000000000

relevant IOS config:

! interface for our ISP
interface Vlan4
 description ISP Link
 ip address A.B.C.54 255.255.255.252
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 crypto map azure-crypto-map
!
ip access-list extended azure-vpn-acl
 permit ip 10.10.26.0 0.0.0.255 10.10.27.0 0.0.0.255
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key 00000000000000000000000 address E.D.F.155 no-xauth
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
!
crypto map azure-crypto-map 1 ipsec-isakmp
 set peer D.E.F.155
 set security-association lifetime kilobytes 102400000
 set transform-set azure-ipsec-proposal-set
 match address azure-vpn-acl
!
access-list 104 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 105 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 106 deny   ip 10.10.26.0 0.0.0.255 10.10.27.0 0.0.0.255
access-list 108 permit ip host D.E.F.155 any
access-list 109 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 110 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 111 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 112 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 113 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 113 permit ip 10.10.26.0 0.0.0.255 10.10.27.0 0.0.0.255
access-list 121 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255
access-list 122 permit ip 10.10.27.0 0.0.0.255 10.10.26.0 0.0.0.255

FWIW I'm not sure why all those access-list entries are there.  Probably because the SDM I am using doesn't clean up when you delete things I would suppose.  I am going to remove the one "deny" and all the duplicates and try again anyway. If anyone can spot anything amiss in there I'd appreciate a heads-up.

EDIT: The "deny" is part of a route map that prevents traffic to the matching subnet from being NAT'ed.  Those access lists are actually not very useful on their own I see.

Thanks.

Richard H