IPSec N2N Blue to VPN connectivity

Hello everybody,
I connected two sites (home and office) via IPSec tunnel (IPFire CU158 to Draytek router). The tunnel is up and running. I can access my office network from my green zone at home. This works without NATing.

Now I would like to access my office network from my blue zone at home and wonder why it is so tricky :-). In the GUI I added “accept” rules from blue to purple (=VPN network) and vice versa. I get a “network unreacheable” reply from IPFire when trying to access the remote side. I added a SNAT to this blue2purple rule NATing the source to IPFire’s green IP. Still no success. I used “brute force” and added two iptables rules in the CLI (192.168.12.0 = office network):

[root@ipfire ~]# iptables -I FORWARD -p all -i blue0 -d 192.168.12.0/24 -j ACCEPT
[root@ipfire ~]# iptables -I FORWARD -p all -o blue0 -s 192.168.12.0/24 -j ACCEPT

Now I can reach the office network ‘out of the blue’ and I am seen there with IPFire’s green IP due to the SNAT.

(I cannot add the target network as a named network in the GUI, because it complains about the subnet already being occupied by an IPSec network. I can add “accept” rules from blue to ‘192.168.12.0/24’ and vice versa in the GUI but it still does not work.)

This problem is very much like this one: OpenVPN N2N Blue network Site 1 to Green network Site 2 but with IPSec.
I’m sure we cannot have a “default policy” for blue2vpn traffic, because there may be several tunnels with different policies. Still it would be nice to configure this in the GUI. I don’t think I found the best way to do it. Could some guru please explain the recommended way to configure blue2vpn traffic? I couldn’t find it in the wiki.

best regards
Kulm