We have an IPSec VPN established on WAN which is intended to route traffic between our local network and a number of public IP addresses on the remote side. This is already in place using a standard site-to-site configuration with installed policies, and is connecting successfully. However, as the servers on our LAN side are in a datacentre where routing definitions across the private network are outside of our control, we cannot route these public IP addresses over the LAN directly. Instead I had the idea to establish a LAN-side IPSec VPN to connect between the hosts on our private network, like so:
Internal Server ==> IPSec over LAN ==> OPNSense ==> IPSec over WAN ==> Remote Gateway ==> Remote Public IP
However, while both connections appear to be operational, I see that traffic is being dropped by the Default deny/state violation rule. I can add rules to pass the traffic regardless, and I see that if I mtr the remote public IP then the following appear in the firewall logs as green entries:
IPsec 2022-10-20T13:02:32 <OPNsense WAN IP> <Remote IP> icmp
IPsec 2022-10-20T13:02:32 <Internal Server IP> <Remote IP> icmp
However, no traffic is able to cross the two VPNs. I am assuming this is because doing this bypasses the usual NAT functionality of IPSec, or something to that effect. How do I correctly link things up between the two VPNs?