Yes, Domain-Based VPN and a 0.0.0.0/0 Encryption Domain.
VTIs are not an option since we user VPN redundancy with linkselection and MEP.
I hoped that there is an option linke user.def file to exclude networks from the 0.0.0.0 .....
I also tried with network-range objects representing the public IP ranges - works.
But using that we had a strange bahavior:
Design: SiteGW -> VPN -> GW cental site - routing - GW-Primeter -> VPN -> SMB
Perimeter GW claims that IP of SMB gateway is in encdom of "GW central site" and for that reason it drops the tunnel to it.
This also happens if the SMB device is managed by a different CMA (defined as externally managed /interop).
This is why I hope theat with an rout all traffic VPN we might get rid of this behavior.