IKEv1 VPN tunnel

I have 3 locations.
HQ, Branch A and B.
It is a hub and spoke design where HQ being the hub.
Branch A/B is connected to HQ via IPSec VPN.

If Branch A and B wants to communicate by going through HQ, do I need to configure No NAT statement at each branch?

Hi inyourname,

Thanks for your question. Normally there is no requirement for No-NAT unless you are specifically captured by a default cone-nat outbound. If you are using a classic IKE based IPVPN, you can create a completely separate routable interface using IPSec VTI techniques or use GRE over IPSec as outlined here. They are very similar in design and will help to make traffic flow more deterministic.

I hope this helps.
Best regards,