Hi,
If I understand your issue correctly, you'd like to masquerade your RUT955 LAN subnet 192.168.52.1 to WAN IP 10.43.116.1, so devices in HQ side of ipsec tunnel would see requests only from 10.43.116.1 IP and not 192.168.52.X, is that correct?
Also in your SNAT Iptables rule I’ve noticed that you’re using IP 10.43.116.21, was it mistyped? If not, could you PM me your network topology and troubleshoot file from your RUT955 so I could look into your current configuration. I’ll also look into the possibility to enable NAT for ipsec as by default there’s a firewall rule which exempts traffic that matches an IPsec policy from the NAT rule.
Troubleshoot file can be downloaded from WebUI -> System -> Administration -> Troubleshoot.
Regards,
Martynas