Routing between VPNs on different interfaces

[jsnell]

We have an IPSec VPN established on WAN which is intended to route traffic between our local network and a number of public IP addresses on the remote side. This is already in place using a standard site-to-site configuration with installed policies, and is connecting successfully. However, as the servers on our LAN side are in a datacentre where routing definitions across the private network are outside of our control, we cannot route these public IP addresses over the LAN directly. Instead I had the idea to establish a LAN-side IPSec VPN to connect between the hosts on our private network, like so:

Internal Server ==> IPSec over LAN ==> OPNSense ==> IPSec over WAN ==> Remote Gateway ==> Remote Public IP

However, while both connections appear to be operational, I see that traffic is being dropped by the Default deny/state violation rule. I can add rules to pass the traffic regardless, and I see that if I mtr the remote public IP then the following appear in the firewall logs as green entries:

IPsec      2022-10-20T13:02:32   <OPNsense WAN IP>   <Remote IP>   icmp      
IPsec      2022-10-20T13:02:32   <Internal Server IP>   <Remote IP>   icmp

However, no traffic is able to cross the two VPNs. I am assuming this is because doing this bypasses the usual NAT functionality of IPSec, or something to that effect. How do I correctly link things up between the two VPNs?