Hmm.....
Not sure I understand the issue really, but here goes......
In classical point-to-point VPNs, the endpoints of the VPNs are generally always public IP addresses - otherwise each endpoint would have no idea how to router across the internet to the other site?
Just because the VPN publically 'terminates' on the WAN interface of the router, that doesn't mean to say the router won't understand what to do with the traffic once it has been decrypted using the encryption transform set that was applied to the traffic before it entered into the vpn tunnel from the other sites router. The tunnel endpoint is the routers WAN interface but the encrypted traffics destination will be the other side of the router and it will know that surely - as that will be part of your configuration?
Site-to-site VPNs are exactly that, generally an encrypted VPN tunnel is created between two external public facing IP addresses that are connected to the VPN terminating routers or are NAT'd to the terminating routers - but that can add some complications, best if possible to keep it simple, unless the VPN router external interface is being protected by a further external firewall device.
In a business environment, I would never form a site-to-site VPN with anything other than public IPs from an external point of view - what you do internally and how you NAT them if required to something else is up to each indervidual site.
