Perhaps I am missing something, but it sounds like your problem doesn't really involve IPSec, per se.
In other words, you can currently:
- Connect to the internet from either site.
- Communicate between the two sites via IPSec.
However, the issue you seem to be having is that you want to force all internet traffic from a specific device to travel across the IPSec tunnel and be sent out over the internet connection at the other site. Is that correct?