The roadwarriors carol and dave both set up a connection to gateway moon. The roadwarriors each unilaterally define a static virtual IP using the leftsourceip parameter. In order to detect potential address conflicts, the roadwarriors send their virtual IPs embedded in a configuration payload to moon for verification. In our scenario moon accepts the address choices thus allowing carol and dave to install their respective virtual IP addresses.
In order to test the tunnels both carol and dave ping the client alice behind the gateway moon as well as the inner interface of the gateway. The latter ping requires access to the gateway itself which is granted by the directive lefthostaccess=yes. The source IP of the two pings will be the virtual IP addresses carol1 and dave1, respectively. Also thanks to the automatically configured source route entries, moon is able to ping both roadwarriors by using the established net-net IPsec tunnels.