Currently Im labing a situtation where I'll need to have branch users route to a vendor through HQ via IPsec tunnels. Users at my banch access can acesss Web/HQ services though the HQ firewall, but when accessing the vendor. Logs show from HQ the attempts to the vendor from the branch office. But nothing but incompletes/aged-out.
From HQ, I do see active connections for phaseII for the branch/vendor connection but of course no encap/decaps.
Also I do have redistrabution profiles for Branch and Vendor connections on the HQ firewall.