VPN over VPN, possibly with SNAT

Question

Hello, 
 I want to do an IPSEC/IKE Client-Connection to a remote network, but over an existing Site-2-Site tunnel. And I only want to route this Client via Work-Network, not everything at home. For the remote network, it should appear as if the packets are coming from the work-network, although the client is in the home network. 
 It's like this: 
 Client@Home / Home-Network (192.168.1.0, Sophos 192.168.1.254) -> S2S -> Work-Network (10.10.10.0, Sophos 10.10.10.254) -> Remote-Network (public IP 193.10.1.1, non-manageable nor managed by me) 
 Client@Home is doing IPSEC/IKE VPN to the public IP of the Remote-Network. 
 So, what I'm doing: 
 I have a standard static route in place, saying: For connections to 193.10.1.1, use Gateway at work (10.10.10.254). 
 Now I'm thinking, what do I have to put into S2S networks, both local and remote. If anything at this point. All I want to is to establish a VPN-connection, not access any networks inside the tunnel - except the ones that are already set up, like the Home-Network and Work-Network, which are already in there obviously. 
 I also created the back-route for the Client, I set up a static route for Home-Networks to be the 192.168.1.254, though I don't think that's needed. At this point I am trying to connect the VPN from the Client with the Remote-Network over the Sophos at work. No-go. 
 I tried packet capture via CLI, monitoring the internal interface of the home Sophos, I see the packets, going from the client to the remote-network public IP, and then just the 2nd packet is already: publicIP sophos@home > client@homeIP: ICMP host "remote-publicIP" unreachable. 
 If I remove the routing via sophos@work, then VPN connects. 
 Please, am I missing something obvious? 
 Thank you.

BAlfson · Accepted Answer

I think there are two ways to accomplish this. I think both are fairly simple... 
 
 Add 99.99.99.99 to 'Local Networks' at work and to 'Remote Networks' at home. If you're not using 'Automatic firewall rules', you will need to add it to your manual rules. 
 In your home, make a Static Gateway Route: 99.99.99.99 via 88.88.88.88. At work, make a firewall rule: '77.77.77.77 -> Any -> 99.99.99.99 : Allow'. 
 
 NOTE (next day): In both cases, you will need an SNAT or a masq rule at work that changes the packet source from 77.77.77.77 to 88.88.88.88. 
 Let us know if you try one or both and which you decided to go with. 
 Cheers - Bob

Kosta88 · Answer

I don't believe it, but I think it works. Finally - it was merely a small thing, actually what I wrote above. I didn't consider that the TC at home must first connect the VPN, and it's doing that to an external IP (over the S2S tunnel). So I had to allow that through the tunnel too. I was only allowing private networks, but didn't think about the public one. 
 Anyway, the following setup: 
 Sophos Home: 
 Two Policy Routes: 
 - to 99.99.99.99 via 10.10.10.254 
 - to networks in the Datacenter via 10.10.10.254 
 S2S IPsec Remote Gateways: 
 - 99.99.99.99 and Datacenter networks 
 Sophos at Work: 
 SNAT for TC at home, Any/Any, translation to "Internal (Address)" (=10.10.10.254) 
 S2S IPsec Local Networks: same as above. 
 
 Only thing, I would like to make sure that it's working. 
 How can I actually do that, without any information from Datacenter? (I don't even believe they can go as far as invest that on request)