Why would you want them to access the Internet by hairpinning in and out of the other site? Why not have their local MX split tunnel (don't tick the Default route box, when configuring the AutoVPN tunnel to the Hub). make sure you have the Advanced Security license.
... View more
