Hi,
Instead of extending the VLAN's to remotes sites, create different vlan's for remote sites, create the IP addressing schema for remote sites.
Also we assume thatm you don't require NAT here..
1.You can do intervlan routing on Catalyst 3560, or make Cisco 1841 router also to do intervlan routing.
2.Put static routes to remote sites on Cisco 1841 at HQ, & default static routes on branch sites.
3.Create 2 different isakmp policies on Cisco 1841 for 2 sites, and also create the mirror of those policies on corresponding branch sites.
4.Use preshare authentication as only 2 sites are there.
5.Create transform set esp-des esp-md5-hmac
6.Create crypto map, set the peer & access-list
7.Create 2 different access-lists for 2 sites to match the traffic to be encrypted.
8.Apply the crypto map to WAN interface
HTH...rate if hekpful..