Hi
This link does says that all the boxes configured in the virtual cluster must be in same public & private subnets.
Restrictions
These restrictions apply to load-balancing on VPN 3000 Concentrators:
Load-balancing can only occur with Cisco Release 3.x (or later) IPsec VPN Clients-to-LAN connections. Earlier VPN Clients can still connect to their target Ethernet2 (public) port IP address within the cluster.
Note: Load balancing can still work if both VPN Concentrators do not have the same software version loaded on them.
VPN virtual cluster IP address, User Datagram Protocol (UDP) port, and shared secret must be identical on every device in the virtual cluster.
All devices in the virtual cluster must be on the same public and private IP subnets.
A filter has to be applied on both public and private interfaces. The defaults are:
private filter on the private interface
public filter on the public interface
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml#req
regds