We are encrypting a single subnet ( subnet A ) of traffic from each branch to our HQ and also DR our site.
Each branch is connected to HQ via MPLS and to DR via MPLS, HQ and DR is connected via MetroE.
The subnet that needs to be encrypted from the branches is trunked from HQ to DR
The potential exists for the branches to send/receive to/from this subnet in both HQ and DR at the same time.
Branch to HQ is a standard VPN tunnel, encrypting subnet A with no NATing
I am thinking that I could NAT the subnet on the DR side MPLS edge router and then configure two VPN tunnels in each branch router.
I could then configure tunnel 1 access-list to send to subnet A, tunnel 2 access-list sends to NATed subnet A.
Does this sound plausable?