Again:Cross-host intercontainer communication trouble

I have reference the article:“Cross-host intercontainer communication trouble”, but it can’t to solve my problem.

i hava two host,every host have one network adapter.
HOST A: ip: (running rancher/server and rancher/agent)
ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:ab:27:4f brd ff:ff:ff:ff:ff:ff
inet brd scope global ens32

HOST B: ip: (running rancher/agent )
ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:ab:6b:7e brd ff:ff:ff:ff:ff:ff
inet brd scope global ens32

( h3c fw dnat :—>
On Host A:
docker run -d --restart=always -p 8080:8080 rancher/server
open the url:

then add host A:
sudo docker run -e CATTLE_AGENT_IP=
-d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v0.9.2

then add host B:
sudo docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v0.9.2

my problem is:
Containers started on the same host can ping each other, but containers on different hosts do not see each other.

I can’t confirm whether I started rancher-agent :-e CATTLE_AGENT_IP=

please help me?thanks.

Do you have UDP ports 500 and 4500 open on both hosts? These are required for the IPSec networking to work.

yes, docker ps -a, i can see .
nc -u 4500

nc -u 4500

not success.

Do the hosts have the correct IP on the UI?

same issue here

I have 2 hosts (boot2docker 1.11.0) running on vSphere VMs.

    VMs can ping each other.

All containers on one host can ping each other on the managed network, but communication to containers on the other host isn´t possible over the managed network.

It looks like 500/UDP and 4500/UDP aren´t mapped correctly into the rancher/agent-instance:v0.8.1

nc -u 4500 doesn´t get a connection on and vice versa

docker ps shows
897ebd05a0ca rancher/agent-instance:v0.8.1 “/etc/init.d/agent-in” 8 minutes ago Up 8 minutes>500/udp,>4500/udp 07e33149-ac58-4400-885e-9c3fef432f34>500/udp,>4500/udp -> is this correct??
shouldn´t it be simply 500->500/udp on a host with one interface, or bound to the interface IP like>500/udp

one more note

if I go to edit the network agent in UI, there is a posibility to set [IP:]Port for ipSec Communication between hosts. it is by default mapped 4500->4500/udp and 500->500/udp

If I put the correct pubic hostIP in front like , save and than go back again, only 172 is saved in the field, so it looks like it´s not allowed to enter IP address in the field, even if the helptext says so