Thanks for your question. Normally there is no requirement for No-NAT unless you are specifically captured by a default cone-nat outbound. If you are using a classic IKE based IPVPN, you can create a completely separate routable interface using IPSec VTI techniques or use GRE over IPSec as outlined here. They are very similar in design and will help to make traffic flow more deterministic.