Outbound NAT before IPSEC for"This firewall"

[ruffy91]

I have the following constellation:
Local Servers-----OPNSense-----WAN-----Sophos----Remote Servers
OPNSense and Sophos have a S2S IPSec VPN

Local Subnet 10.99.201.0/24
Remote Subnet 10.99.11.0/24

This works fine, but I want to be able to access the Remote Servers (I have one Domain COntroller local and two remote) with the OPNsense.
Obviously this does not work out of the box, because packets from the Sense itself are routed out the WAN, whose IP is not allowed in the S2S tunnel.

So I added the following Outbound NAT Rule on the top:
Interface   Source   Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port   Description   
      WAN   This Firewall   *   Remote Subnet     *   10.99.201.1   *   NO   

afaik this should masquerade the requests coming from the OPNsense with its IP in the Local Subnet which is allowed in the Tunnel.
Unfortunately this does not work.

Can someone explain to me how I get this to work?

I have a workaround for Unbound, which is to select the Local Subnet as Outgoing Interface which allows the OPNsense to use the Remote DCs for DNS queries. But this workaround does not work for authentication, as it is not possible to select an outgoing interface for LDAP servers. Which means I have no redundancy for authentication when the local DC is not available.

Can anybody enlighten me if a.) this should work or b.) show me another workaround to use the remote DCs for LDAP over S2S

[mimugmail]

No Nat, just add WAN IP/32 as an additional Phase2

[ruffy91]

Thanks for the suggestion, this should work in many cases.
Unfortunately the WAN uses DHCP in this case.

[mimugmail]

Hm, then maybe use LDAPS and controlled by IP address?

I did some research long time ago and it didn't work out with plain NAT via IPSEC.
Maybe it's worth to dive in again, but lack of time.