The roadwarriors carol and dave set up a connection to gateway moon. The authentication is based on Suite B with 128 bit security based on X.509 ECDSA certificates, ECP Diffie-Hellman groups and AES-GCM authenticated encryption. The kernel-libipsec plugin is used for userland IPsec AES-GCM authenticated ESP encryption.
Upon the successful establishment of the IPsec tunnel, an updown script automatically inserts iptables-based firewall rules that let pass the traffic tunneled via the ipsec0 tun interface. In order to test both tunnel and firewall, carol and dave ping the client alice behind the gateway moon.