Hello, yes, the branch MD has a public WAN IP.
Regarding routes, the Branch has a route to the VPNC and the MM via "ipsec map amanagement-vpnc"
I [MM IP]/32 [0/256] ipsec map management-vpnc
C [WAN IP]/24 is directly connected, VLAN1
C [VPNC IP]/32 is an ipsec map management-vpnc
The MM, a "show ip route" does not show a route back to the Branch MD
S* 0.0.0.0/0 [0/1] via [DataCenter LAN Gateway]*
C [DataCenter LAN Subnet]/24 is directly connected, VLAN1
C [VPNC-A IP]/32 is an ipsec map default-local-master-ipsecmapA
C [VPNC-B IP]/32 is an ipsec map default-local-master-ipsecmapB
C [MM Backup Peer IP]/32 is an ipsec map default-psk-redundant-master-ipsecmap
However there is a route statement (again output from MM config):
ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-A MAC Address] 30
ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-B MAC Address] 20
This is one of the roadblocks;
Thanks for all the feedback,