[strongSwan] strongswan behind nat. vpn connected but packets not encrypted

Thu Jun 22 16:39:17 CEST 2017

i am a newbie to VPN. vpn connected but packets not encrypted. 
pls kindly advise

10.A.0.4 (A server, strongswan)  -> google firewall 35.A.167.172 -> 203.B.127.136 huawei vpn -> 203.B.127.14(public IP) B server
[A server] : can ping huawei vpn but not via tunnel. cannot ping B server[B server] : can ping google firewall via tunnel
#strongswan statusallStatus of IKE charon daemon (strongSwan 5.4.0, Linux 2.6.32-696.3.2.el6.x86_64, x86_64):  uptime: 3 hours, since Jun 22 10:32:40 2017  malloc: sbrk 532480, mmap 0, used 395760, free 136720  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pgp dnskey sshkey pem gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcpListening IP addresses:  10.A.0.4Connections:        cmhk:  %any...203.B.127.136  IKEv1/2        cmhk:   local:  [10.A.0.4] uses pre-shared key authentication        cmhk:   remote: [203.B.127.136] uses pre-shared key authentication        cmhk:   child:  0.0.0.0/0 === 203.B.127.14/32 TUNNELSecurity Associations (1 up, 0 connecting):        cmhk[5]: ESTABLISHED 45 minutes ago, 10.A.0.4[10.A.0.4]...203.B.127.136[203.B.127.136]        cmhk[5]: IKEv1 SPIs: 93aaf2969c35614d_i 0d81525fcb1364fd_r*, pre-shared key reauthentication in 7 hours        cmhk[5]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024        cmhk{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c519724e_i ccffe26a_o        cmhk{5}:  3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 17 minutes        cmhk{5}:   35.A.167.172/32 === 203.B.127.14/32 -------------------------------ipsec.conf
config setup        # strictcrlpolicy=yes        # uniqueids = no charondebug="ike 2, knl 1, cfg 2"
conn %default type=tunnel ike=3des-md5-modp1024 ikelifetime=28800s esp=3des-md5-modp1024 keylife=3600s keyexchange=ike authby=secret
conn cmhk left=%any leftsubnet=0.0.0.0/0 right=203.B.127.136 rightsubnet=0.0.0.0/0 auto=add
------------------------------------#ip xfrm policysrc 203.B.127.14/32 dst 35.A.167.172/32         dir fwd priority 2819 ptype main         tmpl src 203.B.127.136 dst 10.A.0.4                proto esp reqid 1 mode tunnelsrc 203.B.127.14/32 dst 35.A.167.172/32         dir in priority 2819 ptype main         tmpl src 203.B.127.136 dst 10.A.0.4                proto esp reqid 1 mode tunnelsrc 35.A.167.172/32 dst 203.B.127.14/32         dir out priority 2819 ptype main         tmpl src 10.A.0.4 dst 203.B.127.136                proto esp reqid 1 mode tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0         dir 3 priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0         dir 4 priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0         dir 3 priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0         dir 4 priority 0 ptype main src ::/0 dst ::/0         dir 3 priority 0 ptype main src ::/0 dst ::/0         dir 4 priority 0 ptype main src ::/0 dst ::/0         dir 3 priority 0 ptype main src ::/0 dst ::/0         dir 4 priority 0 ptype main -------------------------------------------------#ip route list table all10.140.0.1 dev eth0  scope link 169.254.0.0/16 dev eth0  scope link  metric 1002 default via 10.140.0.1 dev eth0  proto static local 10.A.0.4 dev eth0  table local  proto kernel  scope host  src 10.A.0.4 broadcast 10.A.0.4 dev eth0  table local  proto kernel  scope link  src 10.A.0.4 broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 unreachable default dev lo  table unspec  proto kernel  metric -1  error -101 hoplimit 255unreachable ::/96 dev lo  metric 1024  error -113 mtu 65536unreachable ::ffff:0.0.0.0/96 dev lo  metric 1024  error -113 mtu 65536unreachable 2002:a00::/24 dev lo  metric 1024  error -113 mtu 65536unreachable 2002:7f00::/24 dev lo  metric 1024  error -113 mtu 65536unreachable 2002:a9fe::/32 dev lo  metric 1024  error -113 mtu 65536unreachable 2002:ac10::/28 dev lo  metric 1024  error -113 mtu 65536unreachable 2002:c0a8::/32 dev lo  metric 1024  error -113 mtu 65536unreachable 2002:e000::/19 dev lo  metric 1024  error -113 mtu 65536unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -113 mtu 65536fe80::/64 dev eth0  proto kernel  metric 256  mtu 1460unreachable default dev lo  table unspec  proto kernel  metric -1  error -101 hoplimit 255local ::1 via :: dev lo  table local  proto none  metric 0  mtu 65536local fe80::4001:aff:fe8c:4 via :: dev lo  table local  proto none  metric 0  mtu 65536ff00::/8 dev eth0  table local  metric 256  mtu 1460unreachable default dev lo  table unspec  proto kernel  metric -1  error -101 hoplimit 255------------------------------------------------------------------# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination  =======================================================[server A]ping 203.B.127.136
14:10:11.675222 IP centos-6-2.c.centos-169715.internal > 203.B.127.136: ICMP echo request, id 62844, seq 7, length 6414:10:11.691214 IP 203.B.127.136 > centos-6-2.c.centos-169715.internal: ICMP echo reply, id 62844, seq 7, length 6414:10:11.733312 IP centos-6-2.c.centos-169715.internal.ipsec-nat-t > 203.B.127.136.ipsec-nat-t: isakmp-nat-keep-alive[server A]
ping 203.B.127.14
tcpdump host 203.B.127.14tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes14:11:44.079172 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 39, length 6414:11:45.079175 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 40, length 6414:11:46.079138 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 41, length 6414:11:47.079137 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 42, length 64
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170622/0e904ee1/attachment-0001.html>