1st of all, you need to:
set vpn ipsec auto-firewall-nat-exclude disable
This disables all auto generated firewall rules (=Allows for WAN_LOCAL for udp500 and 4500 , and proto ESP, and for IPSEC encrypted packets within tunnel. And allow in WAN_IN for IPSEC encrypted packets within tunnel. And NAT exclude)
Now you have to manually create all those firewall rules.
Instead of NAT exclude , now make sNAT and dNAT rule translating entire subnets 192.168.1.0/24 <-> 172.16.21.0/24
