The hosts alice, venus, carol, and dave set up tunnel connections to gateway moon in a hub-and-spoke fashion. Each host requests a virtual IP with the leftsourceip=%config parameter. Gateway moon assigns virtual IP addresses from a pool named extpool [10.3.0.1..10.3.1.244] to hosts connecting to the eth0 (PH_IP_MOON) interface and virtual IP addresses from a pool named intpool [10.4.0.1..10.4.1.244] to hosts connecting to the eth1 (PH_IP_MOON1) interface. Thus carol and dave are assigned PH_IP_CAROL1 and PH_IP_DAVE1, respectively, whereas alice and venus get 10.4.0.1 and 10.4.0.2, respectively.
By defining the composite IPsec SA: rightsubnet=10.3.0.0/16,10.4.0.0/16, each of the four spokes can securely reach any other spoke via the central hub moon. This is demonstrated by alice and dave pinging the assigned virtual IP addresses of carol and venus.