Scenario: Site A and Site B both have 'Secure' subnets. Traffic to and from these subnets must be encrypted. They also have 'User' subnets that are not secure and have high bandwidth consumption. Any traffic from a User subnet to a Secure subnet must be encrypted in both directions, however, User to User traffic must not be encrypted (mostly due to bandwidth limitations over the VPN links). There is both a VPN gateway and a Internet gateway, and they are on separate routing paths.
Currently, Site A and Site B Secure compromise their respective encryption domains. If we were to add User to either encryption domain, we would have to forward 100% of traffic over the VPN, which will run into bandwidth issues. However, if we don't add it, then any User traffic would not be considered interesting traffic and would be sent out in the clear even if destined for Secure. Our thought is to create a NAT on each Site, then using routing to send back anything destined to the NAT back to the VPN gateway. This way, the User subnets can be added to the encrypt domain, but will only route over the VPN when the original destination is for Secure.
Does this sound feasible?