A connection between two identical 10.0.0.0/14 networks behind the gateways moon and sun is set up. In order to make network routing work, the subnet behind moon sees the subnet behind sun as 10.4.0.0/14 whereas the subnet behind sun sees the subnet behind moon as 10.8.0.0/14. The necessary network mappings are done on gateway sun using the iptables MARK and NETMAP targets.
Upon the successful establishment of the IPsec tunnel, on gateway moon the directive leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic whereas on gateway sun the script indicated by leftupdown=/etc/mark_updown inserts iptables rules that set marks defined in the connection definition of ipsec.conf both on the inbound and outbound traffic, create the necessary NETMAP operations and forward the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun and vice versa.