Wireguard: Access Site to Site IPSec Tunnels

[tuaris]

I've embraced Wireguard and yes, it's good.  Not perfect, but it works good enough for the needs.  It's much closer to the PPTP style VPN protocol that was flawless and is a "Just Works" type of setup.  Unlike OpenVPN (which by the way, current documentation appears to be inaccurate).

There is one thing missing that would turn this into a "great" option.  With PPTP was that you had access to IPSec Tunnels "for free", meaning you didn't need to do anything extra so long as your firewall rules were in place.  Based on forum searches, the solution appears to be that I need to add manual SPD entries to my IPsec configuration.  However I do not see any documentation that describes the process.  Could someone kindly provide a step by step guide?  I have multiple IPSec tunnels and I can't risk breaking something and getting locked out from remote access.

Assume the following:

- 4 OPNSense devices.  One per site.  Some have multiple subnets: 192.168.0/24, 10.8.8/24 (A), 192.168.1/24, 10.8.7/24 (B), 192.168.7/24, 10.8.9/24 (C), 192.168.8/24 (D).
- Each site has a static public IP on the WAN side, and all 4 sites are interconnected using (legacy config) IPSec tunnels.
- Firewall rules are in place that allow all sites to communicate will all hosts in the subnets
- Site A is running a Wireguard server configured using OPNsense documentation for a road warrior setup.
- The Wiregaurd tunnel network is 192.168.20/24
- Site D IPSec is configured slightly different.  It's using a VTI for route a based tunnel to just site B.  This was an experiment that didn't produce any useful results.  If needed I can switch this to the regular policy based type setup.

Other things to note:

Site A also has a mobile IPsec VPN configured as per official docs.  It to lacks the ability to access remote subnets.