One-to-one source NATting over IPSec VPN... possible?

Hello. I always appreciate the help on this forum. I can usually find my answer by searching, but this one evades me.

My client is implementing some new software in April. It requires IPSec VPN which I am currently running as a trial. (7 days left)

They have Untangle 12.2.1 with freebie apps only, and it has always been great for them in the past. I'm concerned that this is not possible with Untangle.

I have an IPSec tunnel configured and connected. It shows as active. The host demands that we use 1 to 1 NAT for all outgoing traffic. Our internal network is 192.168.0.0/24. The host must see our network as 10.136.29.0/24, when connecting to the 172.25.24.0/22 network, which is their internal network. The remote network must see a local IP that is, say, 192.168.0.10 as 10.136.29.10 . It's not happening.

On the IPSec Tunnels tab, I have Local Network and Remote Network set as above. It is connected and active, but we can't browse or ping.

Under Config, Network, NAT Rules I tried to make a NAT rule of "Destination Address is 172.25.24.0/22" , NAT Type Custom, New Source 10.136.29.0/24. It won't let me do it. It will only let me enter a single IP address in the New Source.

Cisco, Sonicwall, and Sophos firewalls are capable and supported by the host company. It seems to me that Untangle would be capable of this as well. Please help me out, and let me know if I need to go shopping for an expensive firewall that I don't like as much as Untangle!

You need to use multiple rules.

Oh... so a NAT rule for every connection. Not exactly what I was hoping to hear. I'll try a few and test it.

Thanks for the info.

I did successfully ping the gateway on the other side with single NAT rules created.

So... for incoming connections, would I have to make a port forward to every destination?

For example, a simple port forward rule with only Destination Address of 10.136.29.106 and New Destination 192.168.0.106, no port or protocols specified... I suppose a Source Address of 172.25.24.0/22 ... but I'm not sure that matters.

There are only 19 devices total on the network, so it wouldn't kill me to do this... if it works.

If you want inbound, yes. https://wiki.untangle.com/index.php/1:1_NAT
Also add an alias because Untangle now owns that IP.

For the record I wouldn't suggest doing double NAT at all.
I understand that there are often constraints to work with, but usually when you find yourself doing it, its the wrong solution.

I guess I didn't realize this is actually a kind of manual double NAT. It's only for the VPN traffic.

The Cisco VPN host apparently has about 400 VPN client networks, and half of them are probably 192.168.0.0, hence the source NATTING. I didn't consider adding an alias, since this is an internal IP. I would think adding an internal IP alias to an external interface would be a big no-no.

I plan on trying it, anyway. If it works, my client gets by with paying for Untangle's IPSec VPN app. If not, I guess we're shopping.

I'd rather add a bunch of manual entries to Untangle than change the network from 192.168 to 10.136. I don't know for sure if that would work for them either.