The data will be going through an encrytping device on both ends. Basically, Distant end (users > 3750G > Encrypting device > 3570G ) > Near end (3560G > Encrypting device > 3560G > router).
Well in this case, your encryption device connected to 3750G will do the encryption/decryption (depending upon the traffic flow/directtion) and these encrypted pakcets will be just the plan data IP traffic which will be switches by the 3750G's. The other end encrypted connected to 3560
G will do the decrypt/encrypt of the encrypted IP traffic. This will be encrypted IP packets that these switches should be able to forward. Since these switches have nothing to do in terms of encryption and decryption you should be able to run this scenario fine.
Let me know if my understanding is not correct in terms of data flow.
Yes, I think you got the jist of what I was trying to say. Just incase though, I will have 2 secure/encrypted networks that need to be tunneled between an unsecured network. I read somewhere that creating a point-to-point tunnel between 2 switches using loopback IPs will work.
As Toshi mentioned, Please explain a bit more on the requirement. The 3560G/3750G switches do not support any type of tunneling except dot1q tunneling which is basically used for VLAN translation/mapping.On the newer 3750-x/3560-x switches, we have a feature of MACSEC which basically supports 128bit port-port line-rate encryption. The hardware is capable of this feature and we are due to realese the software to enable this same.