No-NAT feature is available in OS 15.15 and yes we have it enabled on the WAN link.
We don't have a MX in the HQ. Currently only the branch has a MX hence AutoVPN is not a possible.
Secondly i cannot create a IPSec VPN with the HQ since the link between HQ and Branch is not direct. I wanted to keep the details simple so didn't mention this earlier.
The network connectivity is as follows:
The branch MX has MPLS link going to a Router in a DC. The DC router has Internet connection. This internet link is used for providing internet access to MX and its LAN subnet. The internet link on DC router is also used to establish an IPSec VPN with the HQ.
Now if traffic is initiation from HQ LAN, it reaches MX WAN interface but is then dropped because by default inbound connections are not allowed on MX. Is there a way to allow these?