But with few changes it is possible. In configuration below a single crypto map with two entries is applied on WAN (outside facing) interface, so subinterfaces are no longer needed.
Although not directly related to this concept, additional NAT rule for translating inside LAN address on central site is also added. But this part is also quite useful, since it shows statefullness of new NAT feature. It is possible to reach central site from customers sites using both real, and natted addresses. If packets to real address are sent from customer sites, return traffic will keep real address (ip nat source static 10.10.2.1 192.168.192.1 vrf Central_VRF will not be used). If NATed address is used, NAT will of course do its job. So there is different behavior for same packet coming from central LAN towards customer sites, depending part of which session it is (it depends did the customer sent a packet to real or natted IP address).
Special care needs to be made with VRFs in many commands below. With any small misconfiguration it will not work.
Central site router:
ip vrf Central_VRF
rd 100:100
!
ip vrf Customer_A_VRF
rd 100:101
!
ip vrf Customer_B_VRF
rd 100:102
!
ip vrf WAN
rd 100:99
!
crypto keyring Customer_A_CRYPTO_KEYRING vrf WAN
pre-shared-key address 192.168.1.11 key abc123
crypto keyring Customer_B_CRYPTO_KEYRING vrf WAN
pre-shared-key address 192.168.1.12 key abc123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile Customer_A_ISAKMP_PROFILE
vrf Customer_A_VRF
keyring Customer_A_CRYPTO_KEYRING
match identity address 192.168.1.11 255.255.255.255 WAN
crypto isakmp profile Customer_B_ISAKMP_PROFILE
vrf Customer_B_VRF
keyring Customer_B_CRYPTO_KEYRING
match identity address 192.168.1.12 255.255.255.255 WAN
!
crypto ipsec transform-set Customer_A_TRANSFORM_SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set Customer_B_TRANSFORM_SET esp-aes 256 esp-sha-hmac
!
crypto map WAN_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.11
set transform-set Customer_A_TRANSFORM_SET
set isakmp-profile Customer_A_ISAKMP_PROFILE
match address Customer_A_CRYPTO_ACL
crypto map WAN_CRYPTO_MAP 20 ipsec-isakmp
set peer 192.168.1.12
set transform-set Customer_B_TRANSFORM_SET
set isakmp-profile Customer_B_ISAKMP_PROFILE
match address Customer_B_CRYPTO_ACL
!
interface GigabitEthernet0/1
description WAN
ip vrf forwarding WAN
ip address 192.168.1.2 255.255.255.240
ip nat enable
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map WAN_CRYPTO_MAP
!
interface GigabitEthernet0/2
description To_Central_LAN
ip vrf forwarding Central_VRF
ip address 10.10.1.1 255.255.255.0
ip nat enable
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
ip nat source static 10.10.2.1 192.168.192.1 vrf Central_VRF
ip nat source static 192.168.10.1 10.10.101.1 vrf Customer_A_VRF
ip nat source static 192.168.10.1 10.10.102.1 vrf Customer_B_VRF
ip route vrf Central_VRF 192.168.192.1 255.255.255.255 10.10.1.2
ip route vrf Central_VRF 10.10.2.1 255.255.255.255 10.10.1.2
ip route vrf Central_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1 192.168.1.11
ip route vrf Central_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1 192.168.1.12
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1 192.168.1.11
ip route vrf Customer_A_VRF 192.168.192.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_A_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1 192.168.1.12
ip route vrf Customer_B_VRF 192.168.192.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
!
ip access-list extended Customer_A_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.192.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Customer_B_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.192.0 0.0.0.255 192.168.10.0 0.0.0.255