strongswan ipsec can't ping subnets

Question

I have 2 strongswan connected, each can ping the other. My problem comes when either of the subnets want to ping an ip on the other side, it doesn't happen. I know i need to add some masquerading but i can't figure out how (i have added the routes on the other network elements with route add -net x.x.x.x/x gw x.x.x.x)

Side A:

conn a-to-b
    leftfirewall=yes
    lefthostaccess=yes
    authby=secret
    auto=start
    compress=no
    type=tunnel
    keyexchange=ike
    fragmentation=yes
    forceencaps=no
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=172.16.2.249
    leftid=1.1.6.13
    leftsubnet=172.16.2.0/24
    rightid=%any
    right=1.1.7.3
    rightsubnet=10.10.0.0/24
    ike=aes128gcm16-sha256-modp2048
    esp=aes128gcm16-sha256-modp4096

Side B:

conn b-to-a
    authby=secret
    auto=start
    compress=no
    type=tunnel
    keyexchange=ike
    fragmentation=yes
    leftfirewall=yes
    forceencaps=no
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=1.1.7.3
    leftsubnet=10.10.0.0/24
    rightid=%any
    right=1.1.6.13
    rightsubnet=172.16.2.0/24
    ike=aes128gcm16-sha256-modp2048
    esp=aes128gcm16-sha256-modp4096

many thanks!

Answer 1

So i needed to:

on the gw with subnet 10.10.0.0/24:

iptables -t nat -A POSTROUTING -s 172.16.2.0/24  -d 10.10.0.0/24 -j MASQUERADE
iptables -A FORWARD  -s 172.16.2.0/24  -d 10.10.0.0/24 -j ACCEPT

on the gw with subnet 172.16.2.0/24:

iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -d 172.16.2.0/24 -j MASQUERADE
iptables -A FORWARD -s 10.10.0.0/24 -d 172.16.2.0/24 -j ACCEPT

And that's it!