Step 1. Talk with your factory admin, and
change your preshared key, since you have now published it here. It is your only authentication. Do not use "haiku". You hid the gateway addresses, but all it takes is a quick scan of 64 thousand IP addresses to find either gateway and quickly break your only authentication. And such keys should never be short, and never be words.
-----------------
Please clarify your RFC 1918 subnets: each location uses a separate subnet, correct? That is, the systems at the factory use 192.168.192.x IP addresses, and the systems at your site use 192.168.191.x? If these will stay separate subnets, then it makes the use of IPSec much, much easier.
Please confirm if it is your intention that a server or workstation with address 192.168.192.17 at the factory will still be 192.168.192.17 when connected to your local network. If so, then your ipsec.conf configuration will be straightforward.
Translation of subnets should
only be necessary when there are IP addressing collisions, and those might only occur when connecting large organizations via VPN gateways. I would avoid it, if at all possible. While such translation can be done, it is complicated: see
http://undeadly.org/cgi?action=artic...20090127205841