The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway sun uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
In order to differentiate between the tunnels to alice and venus, respectively, XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using the mark parameter in ipsec.conf. iptables -t mangle rules are then used in the PREROUTING chain to mark the traffic to and from alice and venus, respectively. The script designated by leftupdown=/etc/mark_updown automatically inserts iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun.