Thank you for your reply Keith.
Presently they way it is now is what I have described above. My concern here is that NAT 0 on one side is more widely defined (10.0.0.0/8, as opposed to 10.20.0.0/16) and whether that will prevent it from working. Can you please comment on that?
Also, any thoughts on the second question regarding the option "enable inbound ipsec session to bypass access list"...?