Not sure what you mean with "bare", this is just IPsec, not L2TP/IPsec or any other VPN with IPsec if you mean this
Yes, that's what I had in mind. Maybe I should have called it "standalone IPsec".
The netmap rule is something like this?
No need to repeat @Sob's correct answer
Then the src-nat action in another rule, and the netmap with dst-nat chain in another rule, right?
Yes, the
netmap rules in
srcnat and
dstnat will handle solely the actual subnet to alias subnet translation; a separate
src-nat/
masquerade rule is necessary for the traffic from LAN to internet. But since the source subnet will likely be the same for both, it is important that the
netmap rule in
srcnat chain that matches on
dst-adress=remo.te.sub.net/mask is placed before (above) the
src-nat/
masquerade one. Or you could add a route to
remo.te.sub.net/mask and set its
gateway to some port-less bridge created for the purpose, and then let the
netmap rule match on
out-interface=name-of-that-bridge. This might make sense if you want to prevent traffic that should go through the tunnel from leaking via WAN if the tunnel is down and the IPsec policy is created dynamically (a static policy intercepts the traffic even if the tunnel is down).