In order to support Differentiated Services (DiffServ), two parallel IPsec connections between the subnets behind the gateways moon and sun are set up. Using XFRM marks one IPsec SA is designated for Best Effort (BE) traffic and the second SA for Expedited Forwarding (EF) traffic.
The authentication is based on a pre-shared key (PSK). In order to guarantee that the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun.