@Lasermatrix 

I can understand your requirement but the simple solution is just build another IPSec VPN between remote site 1 and remote site 2 directly.

If you want to use your own ER605 to let them communicate with each other, it will be more difficult and I will offer my suggestions, but I did not test these configurations:

1. On your own router and remote site 1, you need to build up two IPSec tunnels.

One is for 192.168.0.1/24<--> 192.168.3.0/24;

Another one is for 192.168.3.0/24<-->192.168.2.0/24

2. On your own router and remote site 2, you also need to build up two IPSec tunnels.

One is for 192.168.0.1/24<--> 192.168.2.0/24;

Another one is for 192.168.2.0/24<-->192.168.3.0/24

You cannot use Omada Controller to build these tunnels since on Controller, the local LAN can not be customized. It only allow you to choose the existing LAN network on this router. However like I mentioned before, on your own router you need to define 192.168.3.0/24 and 192.168.2.0/24 as local network also. (they are not your own router's LAN network, but when you set up IPSec in standalone you can just put in the subnet manually)

Again I did not test this, I just think it should work.

  @Somnus Thanks for your input :)

I would normally do a site to site between them, but because they are both connected to the mobile network, they have CG-NAT in front of them.

I will give your other idea a go, thank you :)

  @Somnus Thanks a lot, u've helped me too!