If you don't have access to one or more of the participating nodes in the VPN, then the technique is to still define those nodes in CSM so they can be used in the VPN definition, however, when it comes time to deploy, choose deploy to file for the nodes which are not accessible. The unreachable devices will still of course need to be configured for the VPN to work and you can use this file deployed on the CSM server to identify what CLI is required on the device for the VPN to work.