Thanks Aaron, it’s clear now, this definitely make sense.
The main idea of this feature is NAT before the packets go into the IPsec tunnel, it can be translated to a single /32 IP address just like your example above, and we are also considering another use case to do a 1-to-1 NAT mapping, just like the iptables NETMAP extensions do, to help our IPsec users to avoid any network conflict.
I have queued this up on our development roadmap, I can’t give you an exact date of release, but we’ll definitely look into this. Stay tuned.