SNAT from one IPSec Tunnel to another

Hello, guys!

We have one task that cannot complete for past few days. We have Astaro Virtual Appliance with a lot of IPSec tunnels. At this task we manage only with two of them.

Astaro Internal Network: 192.168.12.0/24

IPSec1:
Local net: 192.168.12.0/24
Remote net: 192.168.50.0/23

IPSec2:
Local net: 192.168.12.0/24
Remote net: 172.21.8.0/23

We need to NAT traffic from 192.168.50.0/23 to 172.21.8.0/23 with ip 192.168.12.1.

I have added to IPSec1 network 172.21.8.0/23 as Local net to permit passing of these packets

After it, I created SNAT rule:
Traffic Source: 192.168.50.0/23
Traffic Service: Any
Traffic Destionation: 172.21.8.0/23
Type: SNAT
Source: 192.168.12.1
select Rule applies to IPSec packets

But I cannot see any translation while pinging or telneting.

For tests, I cloned this SNAT rule and changed Traffic Source to another local network on Astaro: 192.168.160.0/24.
All works correct with this network - 192.168.160.0/24 is NATed to 192.168.12.1 and after it is being sent to 172.21.8.0/23. I see nat translations on astaro:

Proto NATed Address Destination Address State
icmp 192.168.160.1 172.21.8.210

So, SNAT rule doesn't change its behavior despite "Rule applies to IPSec packets" is turned on or off.

Please help, it's very important for us.