1 VR is an external zone to which a VPN router is connected
2 VRs corresponding to different environments, LAN A and LAN B.
Coming from the VPN the clients are NATted in 2 subnets depending on which environment they belong to.
Currently VPN A can access both LAN A and LAN B and so does VPN B. I can prevent communication between VPN A and LAN B and between VPN B and LAN A.
This is not good enough for what I need to do as LAN A and LAN B have the same subnets so with the rib groups allowing the external VR to learn routes from VR A and VR B the VPN clients have 2 routes to access the same subnet.
The solution would be to create a source based routing so that subnat VPN A in VR External is forced to VR A and VPN B in VR External is forwarded to VR B
I have looked at this but it does not involved multiple VRs: