Hi.
the easiest way is to get the snmp-server trap source command to work.
when you say it's not working, do you mean the branches still use the external interface as the source? or that it's sourced properly from vlan1 but somehow doesn't get encrypted?
what ios version are you running on the branches? maybe this is a bug and newer versions get it to work?
if you want to through another way than snmp-server trap source, then an ipsec redesign might be needed. As you noticed dmvpn would be the easiest. another solution would be dynamic lan-to-lan from branch to headend with gre tunnels (similar to dmvpn), and then force the route to the management network via GRE, this way the snmp trap source would default to use the tunnel ip address.
Regards,
Fadi.